Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Tue, 07 September 2010 21:15 UTC
Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 831ED3A6956 for <oauth@core3.amsl.com>; Tue, 7 Sep 2010 14:15:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.574
X-Spam-Level:
X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbZFqo8uMAJq for <oauth@core3.amsl.com>; Tue, 7 Sep 2010 14:15:01 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by core3.amsl.com (Postfix) with ESMTP id EA9C83A6A6A for <oauth@ietf.org>; Tue, 7 Sep 2010 14:14:59 -0700 (PDT)
Received: from usnavsmail4.ndc.alcatel-lucent.com (usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id o87LFQsR029963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 7 Sep 2010 16:15:27 -0500 (CDT)
Received: from USNAVSXCHHUB03.ndc.alcatel-lucent.com (usnavsxchhub03.ndc.alcatel-lucent.com [135.3.39.112]) by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o87LFQtq004061 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 7 Sep 2010 16:15:26 -0500
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.126]) by USNAVSXCHHUB03.ndc.alcatel-lucent.com ([135.3.39.112]) with mapi; Tue, 7 Sep 2010 16:15:25 -0500
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: "Faynberg, Igor (Igor)" <igor.faynberg@alcatel-lucent.com>, Thomas Hardjono <hardjono@MIT.EDU>
Date: Tue, 07 Sep 2010 16:15:25 -0500
Thread-Topic: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
Thread-Index: ActOzGFQvhoQfZOXQCaYovoauidPGQAAxeYg
Message-ID: <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <DADD7EAD88AB484D8CCC328D40214CCD01C253AA42@EXPO10.exchange.mit.edu> <4C86A248.20501@alcatel-lucent.com>
In-Reply-To: <4C86A248.20501@alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.12
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2010 21:15:06 -0000
Igor, The intention of the draft draft-vrancken-oauth-redelegation was to specify a mechanism for doing exactly what Thomas has described: > ... User#1/Client#1 asks for > an access token (to a given resource) with the > intention of later handing over the access-token to > a different User#2/Client#2 The mechanism is design to support also the situation where > User#2/Client#2 asks the Auth Server to "swap" (re-issue) > this token for a different client_id (User#3/Client#3) The difference is that the mechanism of the draft-vrancken-oauth-redelegation relies on the "temporary credentials" and "token credentials", which were used in OAuth 1.0, and not on the access tokens. Zachary -----Original Message----- From: Igor Faynberg [mailto:igor.faynberg@alcatel-lucent.com] Sent: Tuesday, September 07, 2010 4:36 PM To: Thomas Hardjono; Zeltsan, Zachary (Zachary) Cc: Brian Campbell; oauth Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people Thomas, It looks to me like the intention in this use case is similar to that of the "multilegged OAuth" (later renamed to the politically-correct "recursive delegation"). This use case has been published in Bart's and Zachary's draft. which has expired now. This case has moved into the overall use case compilation document. Zachary, maybe you could shed some light here? Igor Thomas Hardjono wrote: > __________________________________________ > > >> -... > > What I meant to say is that User#1/Client#1 asks for > an access token (to a given resource) with the > intention of later handing over the access-token to > a different User#2/Client#2. > > Ideally, this model could be extensible where > User#2/Client#2 asks the Auth Server to "swap" (re-issue) > this token for a different client_id (User#3/Client#3). > > However, this bring us into space of role based access > control and permissions, which would somewhat complicate > the Oauth 2.0 authorization model :) > > /thomas/ > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Delegation -- RE: SAML profile comment… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Justin Richer
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono