IETF Logo Mail Archive

Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

"Foiles, Doug" <Doug_Foiles@intuit.com> Sun, 02 May 2010 15:42 UTC

Return-Path: <Doug_Foiles@intuit.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 404383A6A34 for <oauth@core3.amsl.com>; Sun, 2 May 2010 08:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.192
X-Spam-Level:
X-Spam-Status: No, score=-3.192 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqYb9CEVTtYT for <oauth@core3.amsl.com>; Sun, 2 May 2010 08:41:52 -0700 (PDT)
Received: from mail2.intuit.com (mail2.intuit.com [12.149.175.12]) by core3.amsl.com (Postfix) with ESMTP id 378A53A6A1F for <oauth@ietf.org>; Sun, 2 May 2010 08:41:47 -0700 (PDT)
DomainKey-Signature: s=default; d=intuit.com; c=nofws; q=dns; h=X-SBRS:X-IronPort-AV:Received:Received:X-MimeOLE: Content-class:MIME-Version:Content-Type:Subject:Date: Message-ID:In-Reply-To:X-MS-Has-Attach: X-MS-TNEF-Correlator:Thread-Topic:Thread-Index:References: From:To:Return-Path:X-OriginalArrivalTime; b=C8ojNym/R5iHl3L3nUkzBGPrnEClhWtypByqec/bU5fzRqo5Zfs815oJ RfMLrHLTcQxkmHxjoNMlICucP9cJbK6T+OXjbMadZlpoCruVe+/rqTpWk igkEYsDpqM+6nUY;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intuit.com; i=Doug_Foiles@intuit.com; q=dns/txt; s=default; t=1272814896; x=1304350896; h=mime-version:subject:date:message-id:in-reply-to: references:from:to; z=MIME-Version:=201.0|Subject:=20RE:=20[OAUTH-WG]=20Autono mous=20clients=20and=20resource=20owners=20(editorial) |Date:=20Sun,=202=20May=202010=2008:41:28=20-0700 |Message-ID:=20<BE42DBBC1969B541915E30C5517382D9047A164D@ SDGEXEVS07.corp.intuit.net>|In-Reply-To:=20<C7FCD375.4675 %cmortimore@salesforce.com>|References:=20<5DEB74B3E9FA57 4EAA911DB8167C559E04425EBE@SDGEXEVS12.corp.intuit.net>=20 <C7FCD375.4675%cmortimore@salesforce.com>|From:=20"Foiles ,=20Doug"=20<Doug_Foiles@intuit.com>|To:=20"OAuth=20WG" =20<oauth@ietf.org>; bh=MhS5cFCJ/YiRLKJ7pRj3sVF+i8GoSgXOYZBEw0tZ5Ko=; b=vrjnl4a2vTFoTWz3PKKEZ51YC4iT2cvA9f7x28ihalJOOjOEYXHGrqKo BYvvvEbBA+eX4miCr7Jwi7+3hI91JEBgiEFg4c49XeTk9ggkYa+vt+zWB FsZCcUB7o3S1B1U;
X-SBRS: None
X-IronPort-AV: E=Sophos; i="4.52,314,1270450800"; d="scan'208,217"; a="181846677"
Received: from sdgexbh03.corp.intuit.net ([172.17.135.77]) by mail2.sdg.ie.intuit.com with ESMTP; 02 May 2010 08:41:30 -0700
Received: from SDGEXEVS07.corp.intuit.net ([172.17.135.182]) by SDGEXBH03.corp.intuit.net with Microsoft SMTPSVC(6.0.3790.3959); Sun, 2 May 2010 08:41:30 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CAEA0D.EEB9FDF4"
Date: Sun, 02 May 2010 08:41:28 -0700
Message-ID: <BE42DBBC1969B541915E30C5517382D9047A164D@SDGEXEVS07.corp.intuit.net>
In-Reply-To: <C7FCD375.4675%cmortimore@salesforce.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] Autonomous clients and resource owners (editorial)
Thread-Index: AcrmIscm/BOC6W7iSh+JMT0dgGCAkgAALcx1AAY05pAAC/rNUADksrvw
References: <5DEB74B3E9FA574EAA911DB8167C559E04425EBE@SDGEXEVS12.corp.intuit.net> <C7FCD375.4675%cmortimore@salesforce.com>
From: "Foiles, Doug" <Doug_Foiles@intuit.com>
To: OAuth WG <oauth@ietf.org>
X-OriginalArrivalTime: 02 May 2010 15:41:30.0012 (UTC) FILETIME=[EF1585C0:01CAEA0D]
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 May 2010 15:42:00 -0000

I wanted to poke on the idea of not allowing Refresh Tokens for the
assertion flow.  I personally like the idea discussed here where the
Refresh Token is used across all flows unless it doesn't make sense.
The argument I heard for not including the Refresh Token for the
assertion flow is that the use of Refresh Tokens break the trust
relationship.  It seems the "duration of access" is the key trust
element in question.  The identity of the client and resource owner
(assuming the assertion flow would be made to support this) does not
seem affected.  

 

For the case where a Refresh Token would NOT be used, a timeframe of "X"
would be granted to the generated Access Token.  That Access Token would
only be usable for that "X" period of time.  For the case where a
Refresh Token were supported, the same "X" timeframe would be granted to
the Refresh Token and the timeframe for the actual Access Token would be
less than that.  So in both cases the client would only be able to
access the protected resource for the same "X" timeframe.  Thoughts???

 

And I am wondering if the assertion flow where the client is acting on
behalf of a user is on the list of things to be added???  It was
suggested that this had been discussed previously and might be going to
be added.  And sounds like this would NOT be an autonomous flow from
what I understand, as autonomous flows are strictly for cases where the
client is the same as the resource owner.

 

And I still don't see the corresponding flow in OAuth 2.0 for an OAuth
1.0 - 2 Legged use case where clients are acting on behalf of a resource
owner that is not themselves.  Will there be a flow to support this???
I can actually see how another type of "end user credentials flow" would
work where the credential is something different than the username and
password. 

 

Thanks.

 

Doug

 

 

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
Of Chuck Mortimore
Sent: Tuesday, April 27, 2010 5:46 PM
To: Keenan, Bill; OAuth WG
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners
(editorial)

 

Refresh token was explicitly removed from the suggestion I made for
assertion flow.   I'd be curious if others on the list see a need for
it...?

Eran - do you expect to make edits to the assertion flow before pushing
the working group draft?

-cmort



On 4/27/10 12:14 PM, "Keenan, Bill" <Bill_Keenan@intuit.com> wrote:

With Doug in an all day mtg, we have not sync'd on this...so one of us
may respond again on this topic.

I think I am +1 w/ Brian E.

In the flow from SAML gateway to STS to protected resource, I don't see
caching both an access and refresh token as getting me any efficiency.
Certainly, it adds complexity to regression testing.

I appreciate the desire for symmetry on the set of flows...refresh token
seems like a place for asymmetry.

BillK

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
Of Chuck Mortimore
Sent: Tuesday, April 27, 2010 9:06 AM
To: Torsten Lodderstedt; Brian Eaton
Cc: Foiles, Doug; OAuth WG
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners
(editorial)

Same here - we don't intend to issue refresh tokens for either of these
flows, and we'll only be accepting 1 time use assertions.

-cmort
________________________________________
From: Torsten Lodderstedt [torsten@lodderstedt.net]
Sent: Tuesday, April 27, 2010 9:00 AM
To: Brian Eaton
Cc: Chuck Mortimore; Foiles, Doug; OAuth WG
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners
(editorial)

returning access token would suffice in this flow, from my point of
view.

regards,
Torsten.


Am 27.04.2010 um 08:33 schrieb Brian Eaton <beaton@google.com>:

> From my perspective, the main thing is that the assertion flow can be
> used to connect existing authentication systems with APIs that are
> using OAuth2 for authorization.
>
> This will let us leverage existing trust relationships across systems.
>
> Note that this breaks, however, if the flow returns a refresh token.
> Refresh tokens are a new trust relationship, and they require
> additional user/administrator involvement to manage.
>
> Cheers,
> Brian
>
> On Mon, Apr 26, 2010 at 10:23 PM, Torsten Lodderstedt
> <torsten@lodderstedt.net> wrote:
>> +1
>>
>> we need the assertion flow for the same purpose. Can we add a
>> variant of the
>> flow to section "End User Credentials Flows"?
>>
>> regards,
>> Torsten.
>>
>> Am 26.04.2010 23:17, schrieb Chuck Mortimore:
>>
>> +1.
>>
>> Our primary use-cases for the assertion flow are for clients acting
>> on
>> behalf of users, and not autonomously.   I believe Eran already has
>> this on
>> his list of feedback when the assertion flow gets edited.
>>
>> We also have need for a 2 legged Oauth model, and are looking at
>> the client
>> credentials flow for exactly that purpose.
>>
>> -cmort
>>
>>
>> On 4/25/10 10:34 AM, "Foiles, Doug" <Doug_Foiles@intuit.com> wrote:
>>
>> I have a bit of confusion on the Autonomous Client Flows ... and spe
>> cifically
>> related to Eve's comment below that suggests to me that the autono
>> mous
>> client is NOT ALWAYS the resource owner.
>>
>> Can the Autonomous Client Flows support clients that ARE NOT the
>> actual
>> resource owner?  For example for an Assertion Flow where the
>> Subject of the
>> SAML assertion is a user identity (and the resource owner) and not
>> that of
>> the client.
>>
>> Is the intent of the Client Credentials Flow to support something
>> like
>> Google's "OAuth for Google Apps domains" 2 Legged OAuth use ca
>> se?
>>  http://code.google.com/apis/accounts/docs/OAuth.html.
>>
>> If the Autonomous Client Flows support clients that can act on
>> behalf a
>> resource owner that is not themselves  ... it then seems the resourc
>> e owner
>> must provide some level of consent outside the OAuth specific flow.
>>
>> Thanks.
>>
>> Doug
>>
>>
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>> Behalf Of
>> Eve Maler
>> Sent: Friday, April 23, 2010 7:21 AM
>> To: OAuth WG
>> Subject: [OAUTH-WG] Autonomous clients and resource owners
>> (editorial)
>>
>>
>> Regarding the second comment I made below: I realized last night that
>> Sections 3.7.1 and 3.7.2 get this more correct, by saying that an
>> autonomous
>> client represents a "separate resource owner". So Section 2.2
>> definitely
>> needs a slight change, from:
>>
>>
>>
>> "...and autonomous flows where the client is acting for itself (the
>> client
>> is also the resource owner)."
>>
>>
>>
>> to something like:
>>
>>
>>
>> "...and autonomous flows where the client is acting on behalf of a
>> different
>> resource owner."
>>
>>
>>
>> Thanks,
>>
>>
>>
>>             Eve
>>
>>
>>
>> On 21 Apr 2010, at 4:43 PM, Eve Maler wrote:
>>
>>
>> Tacking this response to the end of the thread for lack of a better
>> place to
>> do it: The name "username" seems not quite apt in the case of an
>> autonomous
>> client that isn't representing an end-user. Would "identifier" be
>> better?
>> (Actually, it sort of reminds me of SAML's "SessionIndex"...) Or
>> would the
>> parameter be reserved for user-delegation flows?
>>
>>
>>
>> Speaking of autonomous clients, Section 2.2 -- among possibly other
>> places
>> -- states that an autonomous client is also the resource owner, but
>> that's
>> not always the case, is it? The client might be seeking access on
>> behalf of
>> itself. (FWIW, I made roughly this same comment on David's first
>> draft on
>> March 21, and he agreed with my suggested fix at the time.)
>>
>>
>>
>>             Eve
>>
>>
>>
>> Eve Maler
>>
>> eve@xmlgrrl.com
>>
>> http://www.xmlgrrl.com/blog
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email