Re: [OAUTH-WG] Auth Server / Resource Server Coordination
Ofer Nave <odigity@gmail.com> Tue, 13 October 2015 04:37 UTC
Return-Path: <odigity@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C73681AD324 for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2015 21:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UajJG3nD7Mbs for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2015 21:37:45 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C55E1B30BD for <oauth@ietf.org>; Mon, 12 Oct 2015 21:37:45 -0700 (PDT)
Received: by wicge5 with SMTP id ge5so40274912wic.0 for <oauth@ietf.org>; Mon, 12 Oct 2015 21:37:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nQDSdapiWN2Y04UjTJl0+CQLqOnHfbGOChgvT04GaAo=; b=R8F6yTjsluoUhBBXAulr6WhOPVJqQdA1uPPH2oHZo8AVf2MrZwSQUpXBte4q1eCVgQ mAqL6VOTXXBeq6QivPIHl9vxOsP1AqRhCR/CWFxlmIiXl0mwieMsvKp1Fckhykun3YLF Nd60iFfUf4IS+yyfx8zoOIwr76cFKkphQdFlcn3QHR93/6jwBnmyhF+4SYyLb/vgZVjg JtED/2WpjmZU3A7B0hMRvDtV92HieXc1t+nrB0jlrSbLwzKNYYdlX+0lSnTn+d8GBAcp EVAauR6FN5MK5vrZO9czPzYC1DxqOuxn79LooCsX0doXSca8hdu9+SRH4wHmohLzEZKP 4SVA==
MIME-Version: 1.0
X-Received: by 10.180.106.4 with SMTP id gq4mr19459727wib.53.1444711063673; Mon, 12 Oct 2015 21:37:43 -0700 (PDT)
Received: by 10.27.125.70 with HTTP; Mon, 12 Oct 2015 21:37:43 -0700 (PDT)
In-Reply-To: <2064190583.2714607.1444710048221.JavaMail.yahoo@mail.yahoo.com>
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <2064190583.2714607.1444710048221.JavaMail.yahoo@mail.yahoo.com>
Date: Tue, 13 Oct 2015 00:37:43 -0400
Message-ID: <CABPN19_VCKzuQCfFHV=C6LjHDVUghmMgkz9dW-3iH8fscBGD4Q@mail.gmail.com>
From: Ofer Nave <odigity@gmail.com>
To: Bill Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary="f46d0443069cc0e6da0521f5011e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/10nxZ3l_s-d809JSTqcTVmqGlfc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Server / Resource Server Coordination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 04:37:47 -0000
> The RS needs to understand the token format and needs to trust the AS. I'm not too concerned about that because the people who would be using my service to handle auth for their API are mostly going to know me personally. (It's a community-specific service.) And my code will be open to them for review. > You can use a JWT (a common choice) as your token format which makes that part fairly easy. I was wondering about that, actually, as I've never had to design a token format. I wasn't too worried, because it seems to me that even a simple, obvious structure would be sufficient for the task (pick an object notation like JSON or just a separator like pipe, put the fixed fields like signature and expiration first, and then the rest are scope strings). However, I agree it's generally wise to reuse existing, proven standards. I learned about JWTs while studying OAuth2, and they do seem both interesting an appropriate. But they're also generalized, right? As in, not specific to OAuth 2. Even this RFC about using JWT with OAuth2 doesn't actually discuss, for example, how to encode a list of scopes within the JWT: https://tools.ietf.org/html/rfc7523 So, is there any kind of standard for an OAuth2 Access Token specifically that addresses this need? If not, I'll probably just build on top of JWT since it's the closest. > You do have decisions to make on whether you use symmetric crypto or PK there. That's another thing I was pondering -- simple shared secret, or require generated a private/public key pair. The asymetric form is a little more complicated in terms of the user experience. Is there a practical reason to prefer it? -ofer On Tue, Oct 13, 2015 at 12:20 AM, Bill Mills <wmills_92105@yahoo.com> wrote: > You're generally right on track. The RS needs to understand the token > format and needs to trust the AS. You bring in all the "hwo do 2 entities > maintain a trust relationship in computing thing" here, because the RS > needs to trust the AS. You can use a JWT (a common choice) as your token > format which makes that part fairly easy. You do have decisions to make on > whether you use symmetric crypto or PK there. > > > > On Monday, October 12, 2015 9:14 PM, Ofer Nave <odigity@gmail.com> wrote: > > > I know the OAuth 2.0 RFC doesn't specify any standards for coordination > between the Authorization Server and the Resource Server, as it's generally > assumed that both will be owned or operated by the same entity. > > However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a > feature to make it easy for other API developers to delegate to me the > responsibility of handling the auth grant process and issuing access tokens. > > It seems to me that a simple version of this could be easily done by: > > 1) Defining an Access Token format that contains within it everything a > Resource Server will need to validate it and determine the level of access > granted (list of scopes, expiration datetime, HMAC signature using a shared > secret). > > 2) Providing a means (basic web UI) for Resource Server owners to register > a set of scopes for their service, along with user-understandable > descriptions of each to display when they arrive at my Authorization > Endpoint. > > While I've read the relevant RFCs, I'm new to the OAuth domain, and would > appreciate any feedback. Is this a stupid idea? Is this a good idea, but > redundant with another standard I'm not aware of? > > -ofer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Auth Server / Resource Server Coordina… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Jim Manico
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Justin Richer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Thomas Broyer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Eve Maler
- [OAUTH-WG] Is authorization challenge always need… Sergey Beryozkin
- Re: [OAUTH-WG] Is authorization challenge always … Justin Richer
- Re: [OAUTH-WG] Is authorization challenge always … Sergey Beryozkin