IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

Yaron Goland <yarong@microsoft.com> Thu, 13 May 2010 20:51 UTC

Return-Path: <yarong@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C7043A68F5 for <oauth@core3.amsl.com>; Thu, 13 May 2010 13:51:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.704
X-Spam-Level:
X-Spam-Status: No, score=-8.704 tagged_above=-999 required=5 tests=[AWL=-0.519, BAYES_40=-0.185, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQHCe+a5GJDB for <oauth@core3.amsl.com>; Thu, 13 May 2010 13:51:38 -0700 (PDT)
Received: from smtp.microsoft.com (mail1.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id CA4323A6837 for <oauth@ietf.org>; Thu, 13 May 2010 13:51:38 -0700 (PDT)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 13 May 2010 13:51:27 -0700
Received: from TK5EX14MBXC117.redmond.corp.microsoft.com ([169.254.8.11]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi; Thu, 13 May 2010 13:51:29 -0700
From: Yaron Goland <yarong@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
Thread-Topic: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
Thread-Index: AQHK8M2JqAP3Yhb/w06D/QdCD+DPKpJMuIJQgAAreACAAusloA==
Date: Thu, 13 May 2010 20:51:25 +0000
Message-ID: <7C01E631FF4B654FA1E783F1C0265F8C4A42BFE4@TK5EX14MBXC117.redmond.corp.microsoft.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7C01E631FF4B654FA1E783F1C0265F8C4A426BAB@TK5EX14MBXC117.redmond.corp.microsoft.com> <4BE8EF51.1070305@lodderstedt.net> <7C01E631FF4B654FA1E783F1C0265F8C4A4296A0@TK5EX14MBXC117.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E72343B3AB47465@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB47465@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2010 20:51:40 -0000

But in federation scenarios the client credentials are an assertion.

For example, Microsoft has a service called Dallas that lets entities purchase access to proprietary data feeds. A common scenario we run into with Dallas is that a company will purchase access to a feed for its employees. But the company doesn't want to have to individually specify to Dallas who can and cannot use the feed. Instead they want to agree on a key with Dallas and use that key to sign assertions sent to Dallas saying "let this person in". The OAuth flow would be:

1. A Dallas client of an employee of 'the company' issues a request to 'the company's ticket issuer asking for a security token it can send to Dallas.
2. 'The Company's ticket issuer generates a signed assertion stating that the bearer has the right to use 'The Company's subscription to a particular feed.
3. The Dallas client then forwards that security token to Dallas's ticket issuer asking for an access token to actually talk to Dallas's front end.
4. Dallas validates the security token (e.g. checks the signature, makes sure it has the right claims, etc.) and if successful then issues an access token to the Dallas client.

So in step 3 the client credential was a full-fledged security token of potentially arbitrary size.

BTW, just to make sure I'm properly following along, we are talking about section 3.9?

		Yaron


> -----Original Message-----
> From: Eran Hammer-Lahav [mailto:eran@hueniverse.com]
> Sent: Tuesday, May 11, 2010 4:37 PM
> To: Yaron Goland; Torsten Lodderstedt
> Cc: OAuth WG (oauth@ietf.org)
> Subject: RE: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
> 
> No one was suggesting putting the assertion in the header. Just the client
> credentials...
> 
> EHL
> 
> > -----Original Message-----
> > From: Yaron Goland [mailto:yarong@microsoft.com]
> > Sent: Tuesday, May 11, 2010 4:24 PM
> > To: Torsten Lodderstedt
> > Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org)
> > Subject: RE: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
> >
> > Actually it's server side that's the problem. Many servers limit the
> > size of the HTTP request headers they will accept. Apache 2.2, for
> > example, uses the LimitRequestFieldSize Directive
> > (http://httpd.apache.org/docs/2.2/mod/core.html). Its default size is
> > 8190 bytes. IIS, I Believe, defaults to around 16K. But SAML
> > assertions can easily clock in at 30 or 40k without even trying.
> >
> > So as a practical matter we need a way to allow clients to assert
> > their right to a token using the request body so as to not need to
> > artificially limit the size of the token that is being submitted.
> >
> > 		Yaron
> >
> > > -----Original Message-----
> > > From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> > > Sent: Monday, May 10, 2010 10:47 PM
> > > To: Yaron Goland
> > > Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org)
> > > Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
> > >
> > > Am 11.05.2010 01:43, schrieb Yaron Goland:
> > > >
> > > >> ---
> > > >>
> > > >> 2. Client Authentication (in flows)
> > > >>
> > > >> How should the client authenticate when making token requests?
> > > >> The current draft defines special request parameters for sending
> > > >> client credentials. Some have argued that this is not the correct
> > > >> way, and that the client should be using existing HTTP
> > > >> authentication schemes to accomplish that such as Basic.
> > > >>
> > > >> A. Client authenticates by sending its credentials using special
> > > >> parameters (current draft) B. Client authenticated by using HTTP
> > > >> Basic (or other schemes supported by the server such as Digest)
> > > >>
> > > >>
> > > > [Yaron Goland] A is needed at a minimum because there are physical
> > > limitations to how many bytes can go into an authorization header.
> > > >
> > >
> > > As far as I know, 4KB is the minimum size for headers that must be
> > > supported by user agents, which should suffice from my point of view.
> > > Moreover, other HTTP authentication mechanisms need much more than
> > > 4KB, For example, SPNEGO authentication headers can be up to 12392
> > bytes.
> > >
> > > regards,
> > > Torsten.
> > >
> > > >> _______________________________________________
> > > >> OAuth mailing list
> > > >> OAuth@ietf.org
> > > >> https://www.ietf.org/mailman/listinfo/oauth
> > > >>
> > > > _______________________________________________
> > > > OAuth mailing list
> > > > OAuth@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/oauth
> > > >
> > >
> > >
>

v2.23.0 | Report a Bug | By Email