Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience
Mike Jones <Michael.Jones@microsoft.com> Wed, 20 January 2016 22:54 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFC791A9127 for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 14:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIe52HfxfiUq for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 14:54:38 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0110.outbound.protection.outlook.com [207.46.100.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39FA71A6FF9 for <oauth@ietf.org>; Wed, 20 Jan 2016 14:54:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RYSe+5fxXfS6+3aLZlI+s9bJ8F9wSCQSUA4ShJIpc+I=; b=cfMibeQM4ExxbL3X74c3+ZvEtd/ZPrb9DFUtPLwFndyCYyka3TRgx0aBHYiv9Qip+CE64h1HINbiQCzFkcWtszOuwcAz1BKWOgUkgJshqN68agYt/ODubdfGa7B9nvQjQsl0krcJYNO13LlAkFeHoKc+ZJZQt1nwrDQb7mDsy3k=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.365.19; Wed, 20 Jan 2016 22:54:36 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0365.024; Wed, 20 Jan 2016 22:54:36 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Nat Sakimura <sakimura@gmail.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Status of draft-tschofenig-oauth-audience
Thread-Index: AQHRU2z5bd5WDYhJ/0CRjTQN4ztm9p8EdoyAgACDlICAAAE0AIAAATiAgAAFoICAAAGIMA==
Date: Wed, 20 Jan 2016 22:54:35 +0000
Message-ID: <BY2PR03MB4422AFC1970EE19564F6046F5C20@BY2PR03MB442.namprd03.prod.outlook.com>
References: <CA+k3eCSpWFwyvk=XHP4b_zxzu-zrMYsS-axF6csO90-ahmkueQ@mail.gmail.com> <BY2PR03MB4423033D5604E9E36B20C23F5CA0@BY2PR03MB442.namprd03.prod.outlook.com> <5CA9073D-BBF7-48BD-BEC5-1F626E8C3818@mit.edu> <8EB68572-DA59-482D-A660-FA6D9848AAD2@oracle.com> <ade5692aa1afa2d9d79b8ac7a55bf150@lodderstedt.net> <5698CB3D.1030306@gmail.com> <69B0E23E-818A-4FE4-81A0-A8106EB6C312@ve7jtb.com> <5698F885.3030009@gmail.com> <569A69A5.7020006@connect2id.com> <A1C1786C-BE13-4D0F-9541-BEAE4DB8F284@mit.edu> <569ABB30.9060703@gmail.com> <569D0AE6.3060708@mit.edu> <569D0E86.60908@gmail.com> <569D1297.2000805@mit.edu> <569D1631.4030705@gmail.com> <569E1804.8010803@gmail.com> <569F60B3.3030501@gmail.com> <569F9955.9030001@gmx.net> <CA+k3eCTzX+DkuEzb5XdTxtouOgkdMfZxp=Ue4ZvDJLf0wCFdPA@mail.gmail.com> <BY2PR03MB442A47609A3B5AD87169294F5C20@BY2PR03MB442.namprd03.prod.outlook.com> <1D483C18-6103-4197-9AF0-D4FD80E8F17E@ve7jtb.com> <CABzCy2BZvvqZxmEGdf1b61Ra52W2jo-vak1gEHQ0_KhKg3aBNA@mail.gmail.com>
In-Reply-To: <CABzCy2BZvvqZxmEGdf1b61Ra52W2jo-vak1gEHQ0_KhKg3aBNA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:2::37e]
x-ms-office365-filtering-correlation-id: 20d80258-4eb7-4724-bf7c-08d321ecab58
x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:Iuf9djnO+qhF5zQzAyNo4U9/oIg/TZ5RvcQKSdHlWuJwNS1ubKh0Tvj4C5pSTQcVFqfNLzRHO6hzTVX5kOZfe2MND5y27x+bBcR8IkhkdK2q/x0FRwvlJAeV2CQfbkPiElgw9E8AH0c1Ee3s8YtXcQ==; 24:+m28ea0Ppp1NoVdsWQNvISZmtd7PplJ7fgKWpMjNTF62hINb8OAtUWDC1nAYagcSXodBZMz2HLQMFHyJp8RWiDIchHNlPSPJI07X2kj6GOA=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; UriScan:;
x-microsoft-antispam-prvs: <BY2PR03MB444CBD01DD800AEE762D5ECF5C20@BY2PR03MB444.namprd03.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(520078)(8121501046)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444;
x-forefront-prvs: 0827D7ACB9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(24454002)(164054003)(189002)(377454003)(199003)(479174004)(87936001)(15975445007)(92566002)(106116001)(54356999)(19617315012)(105586002)(19580405001)(5004730100002)(106356001)(8990500004)(5008740100001)(10090500001)(5001960100002)(19609705001)(11100500001)(4326007)(2906002)(77096005)(5002640100001)(790700001)(1096002)(50986999)(19625215002)(76176999)(97736004)(10400500002)(19580395003)(102836003)(99286002)(586003)(2950100001)(10290500002)(33656002)(81156007)(122556002)(5005710100001)(16236675004)(40100003)(1220700001)(6116002)(101416001)(2900100001)(93886004)(5001770100001)(189998001)(19300405004)(5003600100002)(86612001)(86362001)(76576001)(74316001)(230783001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4422AFC1970EE19564F6046F5C20BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2016 22:54:35.8215 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/0Zao5Ctcpol6HBXj5_gRvIhqUyE>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 22:54:41 -0000
That doesn’t always work when there’s multiple resource servers that the authorization server could authorize access to. Whereas, the client does know what it’s trying to access, or it wouldn’t be making the authorization request in the first place. It’s fine for the client to tell the server what it wants access to. -- Mike From: Nat Sakimura [mailto:sakimura@gmail.com] Sent: Wednesday, January 20, 2016 2:47 PM To: John Bradley; Mike Jones Cc: oauth Subject: Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience +1 Also, I have always thought that it would be good if one could ask for a particular resource type, and the server could respond with the actual location of it with the associated access token. This is because it is often undesirable to tell the client the location of the resource before the authorization from the privacy point of view. So, the processing flow in this case will be: 1. The client request an access to the resource type in the scope of the authorization request. 2. The client request an access token to the resource type to the token endpoint with audience/resource/scope parameter. 3. The token endpoint responds with token response with oauth-meta header indicating the URL of the resource as in draft-sakimura-oauth-meta. Best, Nat 2016年1月21日(木) 7:27 John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>: +1 On Jan 20, 2016, at 7:25 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: As mentioned in Prague, Azure Active Directory uses a “resource” request parameter to supply the URL of the resource server that the access token is intended for. However, I believe that Google uses scope values for this and some Microsoft services are moving towards using scope values as well. Sorting this out soon would be good. -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell Sent: Wednesday, January 20, 2016 2:18 PM To: Hannes Tschofenig Cc: oauth Subject: Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience There does seem to be a need to provide the client a means of telling the AS the place(s) and/or entity(s) where it intends to use the token it's asking for. And that it's common enough to warrant it's own small spec. This has come up several times before and I think has some consensus behind doing it. What needs to happen to move forward? The concept shows up in these three different drafts (that I know of anyway): https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00#section-3 has an audience parameter https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-3 has an aud parameter http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-03#section-2.1 has both an audience and a resource resource All the above apply only to the token request. However, there are ways of requesting/obtaining access tokens that don't involve the token endpoint<https://tools.ietf.org/html/rfc6749#section-4.2> so I think it follows that the same facility should be available for the authorization request too. On Wed, Jan 20, 2016 at 7:27 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote: Hi Sergey, that's a good question. After this document was published the functionality had been integrated into the PoP solution document. Recently, I got feedback that the functionality should be more generic and it is independent of the PoP work. So, I guess it is a good time to discuss the needed functionality and where it should be included. Ciao Hannes On 01/20/2016 11:25 AM, Sergey Beryozkin wrote: > Hi > > Given that the draft-tschofenig-oauth-audience [1] has expired, I'm > wondering if it is still relevant. > > I know the token introspection response can provide the audience > value(s), but the question is really how a client is associated with a a > given audience in the first place. As such [1] may still make sense, for > example, I can think of two options: > 1. the client audiences are set out of band during the client > registration time and all the tokens issued to that client will be > restricted accordingly > 2. the client is requesting a specific audience during the grant to > token exchange as per [1] > > I guess 1. is how it is done in practice or is 2. is also a valid option ? > > > Thanks, Sergey > > > [1] https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Brian Campbell
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Mike Jones
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Justin Richer
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Phil Hunt (IDM)
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation torsten
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Brian Campbell
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Bill Mills
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Antonio Sanso
- [OAUTH-WG] Question about RFC 7622 (Token Introsp… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… John Bradley
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Buhake Sindi
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Buhake Sindi
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… John Bradley
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Justin Richer
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- Re: [OAUTH-WG] Question about RFC 7622 (Token Int… Sergey Beryozkin
- [OAUTH-WG] Status of draft-tschofenig-oauth-audie… Sergey Beryozkin
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Hannes Tschofenig
- Re: [OAUTH-WG] Mix-Up About The Mix-Up Mitigation Roland Hedberg
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Brian Campbell
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Mike Jones
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… John Bradley
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Nat Sakimura
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Mike Jones
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… John Bradley
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Mike Jones
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Nat Sakimura
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Sergey Beryozkin
- Re: [OAUTH-WG] Status of draft-tschofenig-oauth-a… Sergey Beryozkin