IETF Logo Mail Archive

Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token

Justin Richer <jricher@mitre.org> Fri, 20 April 2012 14:34 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07EA521F8771 for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 07:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.319
X-Spam-Level:
X-Spam-Status: No, score=-6.319 tagged_above=-999 required=5 tests=[AWL=-0.279, BAYES_00=-2.599, DC_PNG_UNO_LARGO=0.558, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jHmi2OEEXIq2 for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 07:34:29 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 819E121F875E for <oauth@ietf.org>; Fri, 20 Apr 2012 07:34:28 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4359721B17DE; Fri, 20 Apr 2012 10:34:25 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 357AB21B0019; Fri, 20 Apr 2012 10:34:25 -0400 (EDT)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.283.3; Fri, 20 Apr 2012 10:34:24 -0400
Message-ID: <4F9173C8.9030808@mitre.org>
Date: Fri, 20 Apr 2012 10:33:44 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120310 Thunderbird/11.0
MIME-Version: 1.0
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
References: <59E470B10C4630419ED717AC79FCF9A906E74E@CH1PRD0410MB369.namprd04.prod.outlook.com> <4F885680.5090801@mitre.org> <59E470B10C4630419ED717AC79FCF9A9090519@CH1PRD0410MB369.namprd04.prod.outlook.com>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A9090519@CH1PRD0410MB369.namprd04.prod.outlook.com>
Content-Type: multipart/mixed; boundary="------------030309090505030906050601"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 14:34:32 -0000

It's a difference between the front channel and the back channel. See 
attached diagram for a very high level overview that I've used in a few 
talks.

The browser is for flows where you need the user and their 
authentication present in order to make the connection, such as the 
authz code or implicit flows. The idea is that you, as the client, fire 
off a web browser to send the user over to the authorization endpoint 
directly, where they authenticate with the authorization server using 
whatever mechanism they can. This lets you use two factor, certificates, 
openid, username/password, whatever. The client doesn't have to support 
or see any of this because it's all happening in a browser between the 
user and the authorization server, which probably already has a direct 
user log in mechanism it has access to.

As has been pointed out, you can do OAuth2 without involving the front 
channel at all by using the client credentials, resource owner 
credentials, or assertion flows. None of these sound like they fit what 
you want to do, though. And it's trivial to pop open a browser in most 
platforms; the trick has historically been getting the callback from the 
site, which is less of a problem on mobile platforms.

Side note, OAuth is not really RESTful, but its tokens are easily 
compatible with RESTful APIs.

  -- Justin

On 04/19/2012 05:37 PM, Lewis Adam-CAL022 wrote:
>
> Hi Justin,
>
> There is one thing I have not understood about the whole external 
> browser vs. embedded browser guidance ... and that is, why is **any** 
> browser needed?  Java for example has an HTTP library, and OAuth is 
> RESTful.  So why is it necessary to require the web browser at all, 
> whether external or embedded?  Why can't my native client make RESTful 
> API calls to the AS and RS natively?
>
> Tx!
>
> adam
>
> *From:*Justin Richer [mailto:jricher@mitre.org]
> *Sent:* Friday, April 13, 2012 11:38 AM
> *To:* Lewis Adam-CAL022
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
>
> If the mobile device has a web browser (such as a smart phone), then 
> this is pretty easy, and you've got a couple of options.
>
> One of the best options when the token is on behalf of an end user is, 
> in my opinion, to use the authorization code flow like this: First, 
> register what's called a "public client" with your server -- so you'll 
> get an ID but not a client secret. With that client ID, register a 
> custom-scheme callback URI, like "myapp://oauthcallback", and register 
> your app on the device as the handler for "myapp".
>
> In your application, to start things off, you fire off a web browser 
> to the authorization server's authorization endpoint. The user logs in 
> to the authorization server through the web browser, approves this 
> copy of your app, and gets redirected to 
> "myapp://oauthcallback?code=basdf132". Your app grabs the "myapp://" 
> url and plucks the authorization code off the end of it. Your app then 
> takes that code and sends it in the background to the token endpoint 
> to exchange for a token.
>
> Some key points:
>
> 1) You need to have access to a web browser on the platform, and it's 
> considered best practice to push the user to the external browser 
> application on the platform instead of embedding one. There are a 
> couple paragraphs in the spec's security considerations section that 
> talk about this.
> 2) Your app is "public" because you can't publish it with a secret at 
> configuration time. It can, however, keep the tokens secret at runtime.
> 3) You need to be very careful with how you store the tokens on the 
> device -- they need to be in a trusted space where other apps on the 
> device can't sniff them out.
> 4) Another app can try to register "myapp://" and intercept your code 
> on the way through, so make sure your codes are all one time use and 
> short lived.
>
> None of this is just theoretically possible, people are doing it 
> today. What libraries and stuff you'd be after depends wholly on your 
> platform (both server and client side).
>
>  -- Justin
>
> On 04/12/2012 03:01 PM, Lewis Adam-CAL022 wrote:
>
> Hi all,
>
> I've been talking to some of you off line about this already, but I 
> need some help in terms of implementation.  I would like to use OAuth 
> as a means to get either a JWT or SAML token to a client running on a 
> handheld device.  This is something that I'm looking to prototype (as 
> part of a larger project) beginning this week.  So, it is important to 
> me to understand the divide between what is theoretically possible and 
> what is actually possible.
>
> Anybody aware of any implementations out there, either vendor or open 
> source, that I can use for this?
>
> Tx!
> adam
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org  <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email