Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Tue, 14 September 2010 10:24 UTC
Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 266063A696D for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 03:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.276
X-Spam-Level:
X-Spam-Status: No, score=-2.276 tagged_above=-999 required=5 tests=[AWL=-0.277, BAYES_00=-2.599, J_CHICKENPOX_61=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-yDKWrZqhke for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 03:24:03 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id F16E73A6966 for <oauth@ietf.org>; Tue, 14 Sep 2010 03:24:02 -0700 (PDT)
Received: from usnavsmail4.ndc.alcatel-lucent.com (usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id o8EAOSRm011222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 14 Sep 2010 05:24:28 -0500 (CDT)
Received: from USNAVSXCHHUB01.ndc.alcatel-lucent.com (usnavsxchhub01.ndc.alcatel-lucent.com [135.3.39.110]) by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o8EAORL4022024 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 14 Sep 2010 05:24:28 -0500
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.126]) by USNAVSXCHHUB01.ndc.alcatel-lucent.com ([135.3.39.110]) with mapi; Tue, 14 Sep 2010 05:24:27 -0500
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: 'Thomas Hardjono' <hardjono@mit.edu>, "Faynberg, Igor (Igor)" <igor.faynberg@alcatel-lucent.com>
Date: Tue, 14 Sep 2010 05:24:26 -0500
Thread-Topic: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
Thread-Index: ActOzGFQvhoQfZOXQCaYovoauidPGQAAxeYgAFh1YXAA71lAQA==
Message-ID: <5710F82C0E73B04FA559560098BF95B124FB2333DB@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <DADD7EAD88AB484D8CCC328D40214CCD01C253AA42@EXPO10.exchange.mit.edu> <4C86A248.20501@alcatel-lucent.com> <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com> <DADD7EAD88AB484D8CCC328D40214CCD01C2BC5FC8@EXPO10.exchange.mit.edu>
In-Reply-To: <DADD7EAD88AB484D8CCC328D40214CCD01C2BC5FC8@EXPO10.exchange.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.12
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2010 10:24:04 -0000
Thomas, The draft does not specify a limit on the number of delegations from Client#N to Client#(N+1). The draft's revision would require a substantial work because the draft relies on the community version of OAuth, which differs significantly from the current OAuth v.2. I am talking with our developers to determine if there is sufficient support for this work. Zachary -----Original Message----- From: Thomas Hardjono [mailto:hardjono@mit.edu] Sent: Thursday, September 09, 2010 11:13 AM To: Zeltsan, Zachary (Zachary); Faynberg, Igor (Igor) Cc: oauth Subject: RE: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people Thanks Igor and Zachary, Are there any plans to renew this expired draft? Also, is there a limitation to the number of "swaps" that can be supported? Thanks. /thomas/ __________________________________________ > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Zeltsan, Zachary (Zachary) > Sent: Tuesday, September 07, 2010 5:15 PM > To: Faynberg, Igor (Igor); Thomas Hardjono > Cc: oauth > Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile > comments/questions from the SAML people > > Igor, > > The intention of the draft draft-vrancken-oauth-redelegation was to > specify a mechanism for doing exactly what Thomas has described: > > ... User#1/Client#1 asks for > > an access token (to a given resource) with the intention of later > > handing over the access-token to a different User#2/Client#2 > The mechanism is design to support also the situation where > > User#2/Client#2 asks the Auth Server to "swap" (re-issue) this token > > for a different client_id (User#3/Client#3) > > The difference is that the mechanism of the draft-vrancken-oauth- > redelegation relies on the "temporary credentials" and "token > credentials", which were used in OAuth 1.0, and not on the access > tokens. > > Zachary > -----Original Message----- > From: Igor Faynberg [mailto:igor.faynberg@alcatel-lucent.com] > Sent: Tuesday, September 07, 2010 4:36 PM > To: Thomas Hardjono; Zeltsan, Zachary (Zachary) > Cc: Brian Campbell; oauth > Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile > comments/questions from the SAML people > > Thomas, > > It looks to me like the intention in this use case is similar to that > of the "multilegged OAuth" (later renamed to the politically-correct > "recursive delegation"). This use case has been published in Bart's and > Zachary's draft. which has expired now. This case has moved into the > overall use case compilation document. > > Zachary, maybe you could shed some light here? > > Igor > > Thomas Hardjono wrote: > > __________________________________________ > > > > > >> -... > > > > What I meant to say is that User#1/Client#1 asks for an access token > > (to a given resource) with the intention of later handing over the > > access-token to a different User#2/Client#2. > > > > Ideally, this model could be extensible where > > User#2/Client#2 asks the Auth Server to "swap" (re-issue) this token > > for a different client_id (User#3/Client#3). > > > > However, this bring us into space of role based access control and > > permissions, which would somewhat complicate the Oauth 2.0 > > authorization model :) > > > > /thomas/ > > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Delegation -- RE: SAML profile comment… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Justin Richer
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono