Re: [OAUTH-WG] OAuth Digest, Vol 70, Issue 1
Maik Mahn <EasyOnline@gmx.de> Sun, 03 August 2014 09:52 UTC
Return-Path: <sooolooo.mm@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5661A02A2 for <oauth@ietfa.amsl.com>; Sun, 3 Aug 2014 02:52:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.123
X-Spam-Level: *
X-Spam-Status: No, score=1.123 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, J_CHICKENPOX_32=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kaW-6jnRDVJt for <oauth@ietfa.amsl.com>; Sun, 3 Aug 2014 02:52:46 -0700 (PDT)
Received: from mail-qa0-x22f.google.com (mail-qa0-x22f.google.com [IPv6:2607:f8b0:400d:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0F1D1A02A0 for <oauth@ietf.org>; Sun, 3 Aug 2014 02:52:45 -0700 (PDT)
Received: by mail-qa0-f47.google.com with SMTP id i13so5739496qae.34 for <oauth@ietf.org>; Sun, 03 Aug 2014 02:52:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=LFIhwbbfrtBGAvfbaaJXWKPb0UPoaHu9zd7yk7ATXQc=; b=Z3CO/7XqTx0DeXbQk27sDesQRCmcRAhOhg1Fxwt/i7O2hblbrXKwXsGIqtcyBJ7yZ/ lsuaECMdgOizJxhjHAOCDrUoC9KtcWSSjlWVfhVs5bCO37NHf2pSxOeE2TouwpBbHMd2 2MM9c3QEH7m0f4iXZaACrdlYpeejriv2daJfX3FZJTce6TF7a01Cri16BRYpdOyMc49p FDOwMq1XAOeHWJHmCpuXK2BiAJgdYsYw+q+FCrYTCe5YUOLwlnmWQKVMzSl60w0STfC6 ws3FAksZ15DWCiry9Ucsau91yh1xMKeh8984uF2jgGY5t22kb91I7tfoiA5g4hMVn2Vk YwCg==
MIME-Version: 1.0
X-Received: by 10.224.112.1 with SMTP id u1mr25448414qap.7.1407059564801; Sun, 03 Aug 2014 02:52:44 -0700 (PDT)
Sender: sooolooo.mm@gmail.com
Received: by 10.140.48.230 with HTTP; Sun, 3 Aug 2014 02:52:44 -0700 (PDT)
Received: by 10.140.48.230 with HTTP; Sun, 3 Aug 2014 02:52:44 -0700 (PDT)
In-Reply-To: <mailman.4720.1407057134.13632.oauth@ietf.org>
References: <mailman.4720.1407057134.13632.oauth@ietf.org>
Date: Sun, 03 Aug 2014 11:52:44 +0200
X-Google-Sender-Auth: 0D-B-rZLCt_81FjEBHhWGwPeLn8
Message-ID: <CAPDT0_+8v8n+JyVzYZ5jFQKBHtghhdXHLKv2gzikUo1kEf-PpQ@mail.gmail.com>
From: Maik Mahn <EasyOnline@gmx.de>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="047d7b673a4e89b4de04ffb6956f"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/0m9QU_99uNiJZNuGRfgYVEBouMo
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 70, Issue 1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Aug 2014 09:52:50 -0000
sooolooo.mm@gmail.com Am 03.08.2014 11:12 schrieb <oauth-request@ietf.org>: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Bls: OAuth Digest, Vol 69, Issue 134 (Panca Agus Ananda) > 2. Check out Search for Ebay for BlackBerry (Panca Agus Ananda) > 3. (no subject) (Panca Agus Ananda) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 3 Aug 2014 09:39:20 +0700 > From: Panca Agus Ananda <panca70@outlook.com> > To: <oauth@ietf.org> > Subject: [OAUTH-WG] Bls: OAuth Digest, Vol 69, Issue 134 > Message-ID: <BLU406-EAS25E4F6A9D6D0787FC3DA63A6E50@phx.gbl> > Content-Type: text/plain; charset="utf-8" > > > > Dikirim dari ponsel cerdas BlackBerry 10 saya dengan jaringan Telkomsel. > Dari: oauth-request@ietf.org > Terkirim: Rabu, 30 Juli 2014 03.42 > Ke: oauth@ietf.org > Balas Ke: oauth@ietf.org > Perihal: OAuth Digest, Vol 69, Issue 134 > > > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: Confirmation: Call for Adoption of "OAuth Token > Introspection" as an OAuth Working Group Item (Phil Hunt) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 29 Jul 2014 13:41:16 -0700 > From: Phil Hunt <phil.hunt@oracle.com> > To: Justin Richer <jricher@mitre.org> > Cc: "oauth@ietf.org" <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth > Token Introspection" as an OAuth Working Group Item > Message-ID: <620AF4CA-B7F7-487E-A833-3483D2B41B26@oracle.com> > Content-Type: text/plain; charset="utf-8" > > Making everything optional achieves no benefits, you just end up with a > complex set of options and no inter op. > > We had the same issue with dyn reg. > > I prefer to first get agreement on use case. > > What are the questions a caller can ask and what form of responses are > available. > > Should this be limited to authz info or is this a back door for user data > and wbfinger data? > > I would prefer to have agreement on use cases before picking a solution > right now. > > Phil > > > On Jul 29, 2014, at 11:13, Justin Richer <jricher@mitre.org> wrote: > > > > Agreed on this point -- which is why the only MTI bit in the individual > draft is "active", which is whether or not the token was any good to begin > with. There are a set of claims with defined semantics but all are > optional, and the list is extensible. I think in practice we'll see people > settle on a set of common ones. > > > > -- Justin > > > >> On 07/29/2014 02:11 PM, Bill Mills wrote: > >> This is exactly the same problem space as webfinger, you want to know > something about a user and there's a useful set of information you might > reasonably query, but in the end the server may have it's own schema of > data it returns. There won't be a single schema that fits all use cases, > Any given RS/AS ecosystem may decide they have custom stuff and omit other > stuff. I think the more rigid the MTI schema gets the harder the battle in > this case. > >> > >> > >> On Tuesday, July 29, 2014 2:56 AM, Paul Madsen <paul.madsen@gmail.com> > wrote: > >> > >> > >> Standardized Introspection will be valuable in NAPPS, where the AS and > RS may be in different policy domains. > >> > >> Even for single policy domains, there are enterprise scenarios where > the RS is from a different vendor than the AS, such as when an API gateway > validates tokens issued by an 'IdP' . We've necessarily defined our own > introspection endpoint and our gateway partners have implemented it, (at > the instruction of the customer in question). But of course it's > proprietary to us. > >> > >> Paul > >> > >> On Jul 28, 2014, at 8:59 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > >> > >>> That doesn?t explain the need for inter-operability. What you?ve > described is what will be common practice. > >>> > >>> It?s a great open source technique, but that?s not a standard. > >>> > >>> JWT is much different. JWT is a foundational specification that > describes the construction and parsing of JSON based tokens. There is > inter-op with token formats that build on top and there is inter-op between > every communicating party. > >>> > >>> In OAuth, a site may never implement token introspection nor may it do > it the way you describe. Why would that be a problem? Why should the > group spend time on something where there may be no inter-op need. > >>> > >>> Now that said, if you are in the UMA community. Inter-op is quite > foundational. It is very very important. But then maybe the spec should be > defined within UMA? > >>> > >>> Phil > >>> > >>> @independentid > >>> www.independentid.com > >>> phil.hunt@oracle.com > >>> > >>> > >>> > >>>> On Jul 28, 2014, at 5:39 PM, Justin Richer <jricher@MIT.EDU> > wrote: > >>>> > >>>> It's analogous to JWT in many ways: when you've got the AS and the RS > separated somehow (different box, different domain, even different software > vendor) and you need to communicate a set of information about the approval > delegation from the AS (who has the context to know about it) through to > the RS (who needs to know about it to make the authorization call). JWT > gives us an interoperable way to do this by passing values inside the token > itself, introspection gives a way to pass the values by reference via the > token as an artifact. The two are complementary, and there are even cases > where you'd want to deploy them together. > >>>> > >>>> -- Justin > >>>> > >>>>> On 7/28/2014 8:11 PM, Phil Hunt wrote: > >>>>> Could we have some discussion on the interop cases? > >>>>> > >>>>> Is it driven by scenarios where AS and resource are separate > domains? Or may this be only of interest to specific protocols like UMA? > >>>>> > >>>>> From a technique principle, the draft is important and sound. I am > just not there yet on the reasons for an interoperable standard. > >>>>> > >>>>> Phil > >>>>> > >>>>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote: > >>>>> > >>>>>> Yes. This spec is of special interest to the platform we're > building for http://www.oasis-eu.org/ > >>>>>> > >>>>>> > >>>>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >>>>>> Hi all, > >>>>>> > >>>>>> during the IETF #90 OAuth WG meeting, there was strong consensus in > >>>>>> adopting the "OAuth Token Introspection" > >>>>>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth > WG > >>>>>> work item. > >>>>>> > >>>>>> We would now like to verify the outcome of this call for adoption > on the > >>>>>> OAuth WG mailing list. Here is the link to the document: > >>>>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/ > >>>>>> > >>>>>> If you did not hum at the IETF 90 OAuth WG meeting, > and have an opinion > >>>>>> as to the suitability of adopting this document as a WG work item, > >>>>>> please send mail to the OAuth WG list indicating your opinion > (Yes/No). > >>>>>> > >>>>>> The confirmation call for adoption will last until August 10, 2014. > If > >>>>>> you have issues/edits/comments on the document, please send these > >>>>>> comments along to the list in your response to this Call for > Adoption. > >>>>>> > >>>>>> Ciao > >>>>>> Hannes & Derek > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> OAuth mailing list > >>>>>> OAuth@ietf.org > >>>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Thomas Broyer > >>>>>> /t?.ma.b?wa.je/ > >>>>>> _______________________________________________ > >>>>>> OAuth mailing list > >>>>>> OAuth@ietf.org > >>>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> OAuth mailing list > >>>>> OAuth@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>> > >>>> _______________________________________________ > >>>> OAuth mailing list > >>>> OAuth@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/oauth > >>> _______________________________________________ > >>> OAuth mailing list > >>> OAuth@ietf.org > >>> https://www.ietf.org/mailman/listinfo/oauth > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > >> > >> > >> > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.ietf.org/mail-archive/web/oauth/attachments/20140729/a437e374/attachment.html > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 69, Issue 134 > ************************************** > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.ietf.org/mail-archive/web/oauth/attachments/20140803/c6ce578f/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Sun, 3 Aug 2014 13:33:56 +0700 > From: Panca Agus Ananda <panca70@outlook.com> > To: oauth-request@ietf.org, oauth@ietf.org > Subject: [OAUTH-WG] Check out Search for Ebay for BlackBerry > Message-ID: <BLU406-EAS19B8940435C09725EB3020A6E50@phx.gbl> > Content-Type: text/plain; charset="us-ascii" > > An HTML attachment was scrubbed... > URL: < > http://www.ietf.org/mail-archive/web/oauth/attachments/20140803/b9829b72/attachment.html > > > > ------------------------------ > > Message: 3 > Date: Sun, 3 Aug 2014 16:12:09 +0700 > From: Panca Agus Ananda <panca70@outlook.com> > To: OAuth@ietf.org > Subject: [OAUTH-WG] (no subject) > Message-ID: <BLU406-EAS24761A8E1E8BA3968366F52A6E50@phx.gbl> > Content-Type: text/plain; charset="us-ascii" > > An HTML attachment was scrubbed... > URL: < > http://www.ietf.org/mail-archive/web/oauth/attachments/20140803/d01ce031/attachment.html > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 70, Issue 1 > ************************************ >
- [OAUTH-WG] OAuth Digest, Vol 70, Issue 1 Panca Agus Ananda
- Re: [OAUTH-WG] OAuth Digest, Vol 70, Issue 1 Maik Mahn