IETF Logo Mail Archive

Re: [OAUTH-WG] Indicating sites where a token is valid

Evan Gilbert <uidude@google.com> Mon, 10 May 2010 23:30 UTC

Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42B4B3A6822 for <oauth@core3.amsl.com>; Mon, 10 May 2010 16:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.789
X-Spam-Level:
X-Spam-Status: No, score=-101.789 tagged_above=-999 required=5 tests=[AWL=0.187, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UK5tuQvfysDn for <oauth@core3.amsl.com>; Mon, 10 May 2010 16:30:51 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 2DAEF3A6812 for <oauth@ietf.org>; Mon, 10 May 2010 16:30:50 -0700 (PDT)
Received: from kpbe14.cbf.corp.google.com (kpbe14.cbf.corp.google.com [172.25.105.78]) by smtp-out.google.com with ESMTP id o4ANUbEi021499 for <oauth@ietf.org>; Mon, 10 May 2010 16:30:37 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1273534238; bh=hiMMu3Hk6EMsBENXv0Puq5hMek4=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=a0tnO5YWLkghucyj7rGAjiQEIl9OA/CXT0u/a0dEa7Hz7Cj4v5XjzOgwPRwypwyVt 7+yc7VZwH+ESn+a9elGtg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=dvENJ9Ct9e4Jrgcef+YTcmQoCdcua0w2IktrXl3/HImk7hu3+ofvfVZDs5lyUbmuV o5k7vaILs6uuguwHz3fXQ==
Received: from qyk30 (qyk30.prod.google.com [10.241.83.158]) by kpbe14.cbf.corp.google.com with ESMTP id o4ANU7An003758 for <oauth@ietf.org>; Mon, 10 May 2010 16:30:36 -0700
Received: by qyk30 with SMTP id 30so7547315qyk.16 for <oauth@ietf.org>; Mon, 10 May 2010 16:30:35 -0700 (PDT)
Received: by 10.229.230.65 with SMTP id jl1mr4155426qcb.7.1273534234803; Mon, 10 May 2010 16:30:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.7.136 with HTTP; Mon, 10 May 2010 16:30:14 -0700 (PDT)
In-Reply-To: <D24C564ACEAD16459EF2526E1D7D605D0C8D22ED62@IMCMBX3.MITRE.ORG>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B24FC@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net> <BC9EED4C-B667-4AC2-A663-CEAC0B7CB620@lodderstedt.net> <AANLkTincZ8_0-t2r_Ey9BestA_knMciYsxRLyHcOvSVO@mail.gmail.com> <g2xfd6741651005071106if93ba794q7e9739669eb22fc2@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1F@P3PW5EX1MB01.EX1.SECURESERVER.NET> <D24C564ACEAD16459EF2526E1D7D605D0C8D22ED62@IMCMBX3.MITRE.ORG>
From: Evan Gilbert <uidude@google.com>
Date: Mon, 10 May 2010 16:30:14 -0700
Message-ID: <AANLkTilkUA9i-WZPv8PqPsxiJf5_1SuiCb_GOTdcwtPX@mail.gmail.com>
To: "Richer, Justin P." <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="00163630e9a5acbf8e048645cb8f"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 23:30:52 -0000

I really like the idea behind the "sites" parameter

I think this idea relates closely to scopes and probably needs to be bound
more tightly to the inbound scope parameter. Both identify a set of
protected resources that can be accessed with the token - one is the
requested resources, the other is the granted resources. In both cases you
need to have a way to find a mapping from protected resource identifier ->
API endpoint you can call.

On Mon, May 10, 2010 at 5:18 AM, Richer, Justin P. <jricher@mitre.org>wrote:

>  +1
>
> Any information that the client needs to care about should live outside the
> token.
>
>  -- Justin
>
>  ------------------------------
> *From:* oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of Eran
> Hammer-Lahav [eran@hueniverse.com]
> *Sent:* Sunday, May 09, 2010 5:29 PM
> *To:* David Recordon; Marius Scurtescu
>
> *Cc:* OAuth WG
> *Subject:* Re: [OAUTH-WG] Indicating sites where a token is valid
>
>   The idea of embedding this information into the token is wrong. This is
> clearly token metadata and that information belongs alongside the token,
> just like ‘expires_in’.
>
>
>
> EHL
>
>
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *David Recordon
> *Sent:* Friday, May 07, 2010 11:06 AM
> *To:* Marius Scurtescu
> *Cc:* OAuth WG
> *Subject:* Re: [OAUTH-WG] Indicating sites where a token is valid
>
>
>
> Using SWT for your access tokens seems like a reasonable way to resolve
> this for servers which care.
>
>
>
> On Fri, May 7, 2010 at 11:01 AM, Marius Scurtescu <mscurtescu@google.com>
> wrote:
>
> Returning a scope parameter with issued tokens is not a bad idea.
>
> But this, and also the sites parameter suggested by James, can both
> potentially be solved with a transparent token format. Such a token
> can make explicit the:
> - expiry time
> - scopes
> - sites
> - etc.
>
> The Simple Web Token spec goes along these lines. SWT has a parameter
> called Audience, which I assumed would point to the client, but it
> could also represent "sites".
>
> Marius
>
>
>
>
> On Thu, May 6, 2010 at 11:06 PM, Torsten Lodderstedt
> <torsten@lodderstedt.net> wrote:
> > Additionally, I would propose to indicate the scope associated with a
> token
> > to the client using a scope response parameter. This is especially useful
> > (1) if the client did not pass a scope parameter but the server decided
> to
> > associate a scope based on its policy or (2) if the user decided to
> > authorize a subset of the requested scope only.
> > Regards,
> > Torsten.
> >
> >
> >
> > Am 07.05.2010 um 07:32 schrieb Torsten Lodderstedt
> > <torsten@lodderstedt.net>:
> >
> > what about an additional realm response value?
> >
> > If there is a binding between realm and token, the client can decide
> based
> > on the realm attribute discovered using a WWW-Authenticate response which
> > token to use.
> >
> > regards,
> > Torsten.
> >
> > Am 07.05.2010 07:06, schrieb Manger, James H:
> >
> > Every existing use of Cookies, HTTP Basic, and HTTP Digest relies on
> clients
> > being told by the server about the sites at which the secret
> > (cookie/password/token) can be used (and, more importantly, where is must
> > not be used). This occurs without requiring service-specific knowledge in
> > the client app. OAuth aims to replace some of these uses.
> >
> >
> >
> > HTTP Basic authentication works safely from clients with no
> service-specific
> > knowledge because the client knows not to send the password it gets from
> the
> > user to other sites.
> >
> >
> >
> > HTTP Digest authentication allows a password to used to across a set of
> > domains specified in a WWW-Authenticate response header, but the password
> > will not be used at arbitrary other sites.
> >
> >
> >
> > Cookies are sent in requests to the same site, sites with the same
> parent,
> > or only https sites, depending on details from the service when setting
> the
> > cookie.
> >
> >
> >
> >
> >
> > To date, OAuth has assumed every client app has lots of service-specific
> > knowledge to make these choices. OAuth needs to remove the need for so
> much
> > service-specific knowledge to be as interoperable as other standard auth
> > mechanism, otherwise it is a poor replacement.
> >
> >
> >
> > --
> >
> > James Manger
> >
> >
> >
> > From: David Recordon [mailto:recordond@gmail.com]
> > Sent: Friday, 7 May 2010 2:05 PM
> > To: Manger, James H
> > Cc: OAuth WG
> > Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
> >
> >
> >
> > Hey James,
> >
> > Do you have a specific example in mind where this either has been an
> issue
> > or will be an issue? Most client implementations I've seen of OAuth (and
> > technologies like OAuth) have a strong binding between the access
> token(s),
> > site they were issued by, and user they belong to. So I haven't heard of
> > this being a problem in the wild...
> >
> >
> >
> > --David
> >
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email