Re: [OAUTH-WG] OBO Flow

CARLIER Bertrand <Bertrand.CARLIER@wavestone.com> Fri, 30 August 2019 12:57 UTC

Return-Path: <Bertrand.CARLIER@wavestone.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0127212008D for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2019 05:57:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wavestone.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11a3eDM-QtVL for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2019 05:57:00 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130041.outbound.protection.outlook.com [40.107.13.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64F6712004E for <oauth@ietf.org>; Fri, 30 Aug 2019 05:56:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CNbLpiGDyCssoaWH0oIfDKI63hrvfBkiGIXXtbwnKlzvMF16ysS135XTe/JtQl8HloMWS/aITuR/njQ8mA1mz5FfWV2gJSkglBNzO7CTjaHSW4v1hxXbt/p5Ua7c13NzSC+7Oe9zOb+dn/DCGhLHubt3xdmgompBWTAiAZyOrG3hWkFCTNYOgMZ0a0bPMG9KRkKFiXIp8ovsqc+2YvtGH3tDSlHy1RC5tJRfSU5bNQ9szgR9YqViKcundO4/G/DjIRPiG+3nRlMKfgo36hkjXz7OVcGOWuW3C3nzz7leq0VaqaF6Kkbo2dUhZg5LbZ7He0fLcVQmporHybxowYPvHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9h3mVTKY40zMSXAtVAyDp62Ssv0ymWlmhk1t1Jk8BO0=; b=m4+D1/FVCu6RRM/ytmfNwiYZt0wJbJKDl42QPvgFtUoMo31yKrezpPXiBtltyDpvkBJlH2VcHWw026plSjzeJB5XFSG1okDZokB9kPjwh6/YRaoJ3Yh0JWhgDdXZlvoVkecP4f/YSWjkMWDqZm/IQe0NPgKViqFxT2h1zT0efi1JIo98lzcJafTgvde9AgGumKXHNmFYpLCPQNeGG7S+oS7udK+AFjG8HJdsKRhrCRHUZzClZGoKWeheZShDOBFTseIEh461Nw3CLlPIabI66UQsA0GgeauAusavkAkXmXwu/5xSUFJgAukW9NBfT3SXLfKTBE/OuUhGDkVOWkT5oQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wavestone.com; dmarc=pass action=none header.from=wavestone.com; dkim=pass header.d=wavestone.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wavestone.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9h3mVTKY40zMSXAtVAyDp62Ssv0ymWlmhk1t1Jk8BO0=; b=FewPZ7EbWjTYdXxg5P3U4dsIXvlvifjV3OvDmVuuuZ/9peNXUK4wiq2OVkDAUxHXTeHVWbpYOJ5bGP2sfb+jyV6Z3LSTRw8rClR4hyGeQvji2mFuZWYYKND3E1PlxiqIifyGq1wGlzfSvAfMgeyUdrA2bhfipTrJCnLRmoqfUxE=
Received: from DB8PR03MB6092.eurprd03.prod.outlook.com (10.255.17.82) by DB8PR03MB6106.eurprd03.prod.outlook.com (10.255.17.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2199.21; Fri, 30 Aug 2019 12:56:55 +0000
Received: from DB8PR03MB6092.eurprd03.prod.outlook.com ([fe80::3848:b35f:ccb4:8b54]) by DB8PR03MB6092.eurprd03.prod.outlook.com ([fe80::3848:b35f:ccb4:8b54%4]) with mapi id 15.20.2199.021; Fri, 30 Aug 2019 12:56:55 +0000
From: CARLIER Bertrand <Bertrand.CARLIER@wavestone.com>
To: Lee McGovern <Lee_McGovern@swissre.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OBO Flow
Thread-Index: AdU1ZjJ6jhtWavl2ShC7aP4dgKcQaApy93TQ
Date: Fri, 30 Aug 2019 12:56:55 +0000
Message-ID: <DB8PR03MB609275BEAD0C2DC39F50986887BD0@DB8PR03MB6092.eurprd03.prod.outlook.com>
References: <3a0d6d1dd94240b9ad1e1f53dd7fe417@CHRP5009.corp.gwpnet.com>
In-Reply-To: <3a0d6d1dd94240b9ad1e1f53dd7fe417@CHRP5009.corp.gwpnet.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Enabled=True; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_SiteId=45597f60-6e37-4be7-acfb-4c9e23b261ea; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Owner=Lee_McGovern@swissre.com; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_SetDate=2019-07-08T08:24:36.0988705Z; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Name=Internal; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Application=Microsoft Azure Information Protection; MSIP_Label_90c2fedb-0da6-4717-8531-d16a1b9930f4_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Bertrand.CARLIER@wavestone.com;
x-originating-ip: [165.225.77.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7bdbad9c-c5e2-41c0-0c96-08d72d49897f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600166)(711020)(4605104)(1401327)(4618075)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DB8PR03MB6106;
x-ms-traffictypediagnostic: DB8PR03MB6106:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB8PR03MB610620FADB45D3383DE8B37387BD0@DB8PR03MB6106.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0145758B1D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(346002)(366004)(376002)(136003)(396003)(26244003)(189003)(199004)(8936002)(52536014)(476003)(486006)(81166006)(446003)(11346002)(81156014)(186003)(478600001)(5660300002)(7116003)(66066001)(66574012)(45080400002)(316002)(3480700005)(7696005)(26005)(71200400001)(66476007)(66556008)(64756008)(66446008)(76176011)(76116006)(221733001)(66946007)(53546011)(71190400001)(6506007)(55236004)(86362001)(606006)(110136005)(7736002)(74316002)(5024004)(256004)(102836004)(229853002)(99286004)(2906002)(14444005)(790700001)(14454004)(33656002)(8676002)(3846002)(9686003)(54896002)(53936002)(6116002)(236005)(6306002)(25786009)(55016002)(6436002)(6246003)(2501003)(53946003)(79990200002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB8PR03MB6106; H:DB8PR03MB6092.eurprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: wavestone.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 35JRDKth0YkJI1tCCu4WGwSobqhARfVHKAN0WKNLHifrQKXy5VfoQR9D5PBfn9vlhG/sTF34LYMsbcaX3x4wPQgSHqQLnZGYxuqp9fAJ8pTbTuugfY+jHznAgWV7cp881jfmJrLAQT9KDmhaz3WWcsvhOV/2gcCMrGcMA78tt5UjVzVUavotz1emqEEXN6xM9yVpensKWMiI/JyzMlChGTzdGmRK2bwaHhJe2ApHMhrkprQQyGWyoGItWRafbia5xbkgSW1G5sdt/Q6WKLPncmSDTBpuwTQWT1Pe20jmegHrJaCC8zeZV9KDayEYgDS3JgmTYXV1Xw3YGgY8Vc6PNnWbXOtF3NRZRgU7Ld241exEiFuwi9acr9aaLapAvKTviXayItRwKNyze8+4bPnRxvt7peW8vgMJTXPPe9dBrWf/D+oTburDeKMka1NXtA41Q0bvrSq/QkW8Iy7VC+rnXg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DB8PR03MB609275BEAD0C2DC39F50986887BD0DB8PR03MB6092eurp_"
MIME-Version: 1.0
X-OriginatorOrg: wavestone.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7bdbad9c-c5e2-41c0-0c96-08d72d49897f
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Aug 2019 12:56:55.6313 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5de96c96-c87c-4dce-aad9-f5c557b52ac1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZezX1/stcbPMGwHnYlPhKOQCejrt9P6k51gd9ZI9KyVU/j1DJGzhYVB04WJK9HjRCLMO8Hl5f5i0JPYYa3Xkz/r6rOk+7IvwJvq4bepSPIM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR03MB6106
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3bTIlUX4K0V1YFItj2qvNpS2I_A>
Subject: Re: [OAUTH-WG] OBO Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 12:57:03 -0000

Hello,

I'm actually very curious as well about this and the reasons for the differences between the implementation and the current draft (grant_type value, parameters, etc.).

Was this discussed somewhere already?

Regards,--
Bertrand CARLIER


From: OAuth <oauth-bounces@ietf.org>; On Behalf Of Lee McGovern
Sent: lundi 8 juillet 2019 10:25
To: oauth@ietf.org
Subject: [OAUTH-WG] OBO Flow

Does it appear strange that Microsoft have called their token exchange flow implementation (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) On-Behalf-Of flow? I was under the impression that delegation was the core use case for oauth development i.e. when Yelp wants access to your Google contacts a scope is defined and consent is granted for that client to act on your behalf...

Best,

Lee McGovern | IAM Architect | Lee_McGovern@swissre.com<mailto:Lee_McGovern@swissre.com>

This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information.
Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender.
All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository.
If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications.
The information transmitted in the present email including the attachment is intended only for the person to whom or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete all copies of the material.

Ce message et toutes les pi?ces qui y sont ?ventuellement jointes sont confidentiels et transmis ? l'intention exclusive de son destinataire. Toute modification, ?dition, utilisation ou diffusion par toute personne ou entit? autre que le destinataire est interdite. Si vous avez re?u ce message par erreur, nous vous remercions de nous en informer imm?diatement et de le supprimer ainsi que les pi?ces qui y sont ?ventuellement jointes.