Re: [OAUTH-WG] Indicating sites where a token is valid
David Recordon <recordond@gmail.com> Tue, 11 May 2010 03:45 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1EBDB28C10C for <oauth@core3.amsl.com>; Mon, 10 May 2010 20:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.21
X-Spam-Level:
X-Spam-Status: No, score=-2.21 tagged_above=-999 required=5 tests=[AWL=0.389, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwDRdE3k5oM3 for <oauth@core3.amsl.com>; Mon, 10 May 2010 20:45:50 -0700 (PDT)
Received: from mail-yw0-f173.google.com (mail-yw0-f173.google.com [209.85.211.173]) by core3.amsl.com (Postfix) with ESMTP id 5834228C103 for <oauth@ietf.org>; Mon, 10 May 2010 20:45:50 -0700 (PDT)
Received: by ywh3 with SMTP id 3so1506857ywh.31 for <oauth@ietf.org>; Mon, 10 May 2010 20:45:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=U0p3snf3kS7UCyNfaPDFnem6qmkj0b6cuKBE6FccP2g=; b=a1M6vdDZ1/r8kpF3tMfWULvKAt9ZcExRReCQKo2fXzcTrUxpjYOgn2Dp3ZjGocxman fBg68Vt1+s+sl57jiR+wum9TORiAo8ZrrJMVyInxLRc4E2oFAx8AKZncz2qynRD+xd1i lDSuVOGDhEw/zuLFAQhi32v4ifgivkloC9/Mc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=EMfa+PggfxwtwlIhGx31ngyIWW0Ium2InBAkjTPhvwJAeQ+fOlHvn/NLG/MuwfDYIX DNI50FxGtkU3myXA5EhSor4jsp0spi2ylcfxWQ+PNJETx8LFpmUMZ3pKnkJovs2uKM5F XXRp4yVs4GqY3skif8tDA5qfGaNcHO/xzZxDU=
MIME-Version: 1.0
Received: by 10.231.145.210 with SMTP id e18mr3255893ibv.6.1273549536642; Mon, 10 May 2010 20:45:36 -0700 (PDT)
Received: by 10.231.176.4 with HTTP; Mon, 10 May 2010 20:45:36 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E20@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E20@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 10 May 2010 20:45:36 -0700
Message-ID: <AANLkTincDcuhYhLtNnU4rjtr0P1356raGkSCBCIRZdST@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 03:45:52 -0000
If the sites parameter is not specified, would it default to the domain of the authorization server. If it is specified, then the valid sites are what is explicitly listed. Wildcards would only be supported for subdomains and it would be assumed that any resource on that domain is valid. Thus with the user endpoint being https://graph.facebook.com/oauth/authorize: 1) no sites parameter means the access token is only valid on https://graph.facebook.com/* 2) sites key with a value of ["https://graph.facebook.com/"] means that the access token is only valid on https://graph.facebook.com/* 3) sites key with a value of ["https://*.facebook.com/"] means that https://graph.facebook.com/* and https://www.facebook.com/* would both be valid (among other subdomains) 4) sites key with a value of ["https://graph.facebook.com/", "https://api.facebook.com/"] means that only https://graph.facebook.com/* and https://api.facebook.com/* would be valid 5) sites key with a value of ["https://api.facebook.com/"] means that the the token isn't valid on https://graph.facebook.com/ even though that's the authorization server Obviously the sites parameter isn't restricted to being on the same domain, just used it that way for these examples. Am I understanding the proposal correctly? Thanks, --David On Sun, May 9, 2010 at 2:29 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > Add some sort of wildcard support and I think this looks good. > > EHL > > > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of > Manger, James H > Sent: Thursday, May 06, 2010 4:58 PM > To: OAuth WG > Subject: [OAUTH-WG] Indicating sites where a token is valid > > > > The OAuth2 protocol does not indicate where a token can be used. > > It needs to do so because if a client app sends a token to the wrong site it > destroys the security. > > > > I suggest another field in the JSON token response: > > "sites": ["https://api.example.com", "http://photo.example.com:8080"] > > > > It would be a list of sites where the token can be used, specified by > scheme://host[:port]. > > > > The default value for the “sites” field could be the token endpoint site (or > the authorization endpoint site if a token endpoint isn’t used). > > For instance, if Facebook’s new API uses https://graph.facebook.com for all > resources, tokens, and authorizations it could omit the “sites” field. > > > > > > P.S. I suggested this last month > http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html, though I > mixed in additional ideas for formats and media type that are probable best > covered in their own treads. > > > > > > -- > > James Manger > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Indicating sites where a token is valid Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Luke Shepard
- Re: [OAUTH-WG] Redirects Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Richer, Justin P.
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Brian Eaton
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav