IETF Logo Mail Archive

Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token

Brian Campbell <bcampbell@pingidentity.com> Fri, 20 April 2012 12:27 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A268321F86FF for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 05:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.955
X-Spam-Level:
X-Spam-Status: No, score=-5.955 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFui2RW2r-lI for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 05:27:26 -0700 (PDT)
Received: from na3sys009aog127.obsmtp.com (na3sys009aog127.obsmtp.com [74.125.149.107]) by ietfa.amsl.com (Postfix) with ESMTP id E232721F8670 for <oauth@ietf.org>; Fri, 20 Apr 2012 05:27:25 -0700 (PDT)
Received: from mail-vb0-f53.google.com ([209.85.212.53]) (using TLSv1) by na3sys009aob127.postini.com ([74.125.148.12]) with SMTP ID DSNKT5FWLWnfUyUVKet1ek8pz+uzo831QZKV@postini.com; Fri, 20 Apr 2012 05:27:26 PDT
Received: by vbbfc26 with SMTP id fc26so7602753vbb.12 for <oauth@ietf.org>; Fri, 20 Apr 2012 05:27:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=NGl3bANYEPAZOzzLjsbZ1TmRDGEtOzdOrmD9gat1FZ0=; b=mNwLvgBHkpB8bPkvxPsx37VdE2nk/nia840Y6WLlXG5ASBikyjJZAsstOZyWlnQ+xj cpiX2b3lYDtqMGqOUMjkmbWcibhqbmbWOPn1/LtQCoN5k/oUGh+R+H53QRpEu08cpb8f nhzEfm0XT0DkpH86vcO2wgsum8WhIK29K0ZqHy1jKqJovX/5GHq5C6GOFwwXOjh3C1BD L546/kTKIiW89I/b/1kvl/LzcVYFzwLUVzqkS3Sr2OA68YRkhNOynGF6Nsy6qIV7sV4w bYL7mY1/va4bmVSD+XEgmxxZdxGjQRGDE/3wBDhAhEQagtL8gMEXY93JQrhFZ+Lij5XG lGfg==
Received: by 10.220.38.138 with SMTP id b10mr4472553vce.23.1334924844569; Fri, 20 Apr 2012 05:27:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.38.104 with HTTP; Fri, 20 Apr 2012 05:26:54 -0700 (PDT)
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A909785B@BL2PRD0410MB363.namprd04.prod.outlook.com>
References: <59E470B10C4630419ED717AC79FCF9A906E74E@CH1PRD0410MB369.namprd04.prod.outlook.com> <4F885680.5090801@mitre.org> <59E470B10C4630419ED717AC79FCF9A9090519@CH1PRD0410MB369.namprd04.prod.outlook.com> <CA+k3eCQAq18kuXgwbSvzR4JJKqsJFQHoeU-+9UBYBNk6+3eTZQ@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A909785B@BL2PRD0410MB363.namprd04.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 20 Apr 2012 06:26:54 -0600
Message-ID: <CA+k3eCSZiWPJhRAyXwJzPBrCna6OWMGobEzwGCLeZEawcteJMA@mail.gmail.com>
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
Content-Type: multipart/alternative; boundary="bcaec54ee7562992b004be1b69f2"
X-Gm-Message-State: ALoCoQksbio8L5c+I07/udTTL7mMjqMS2XhyayqLPHVC5Vg8lnHSCYs8gt6gcxhGmmG6mtYlGAbl
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 12:27:27 -0000

You're right, resource owner credentials is specifically for username and
password. If by RSA you mean a one time password from a hard token, you
might be able to kind of shove it into a resource owner credentials flow.
But I don't think that was really the intent. If you mean RSA signatures,
then it doesn't really work.

In general stronger forms of user authentication for direct client to AS
communications are allowed for by the extensibility of the grant type
mechanism: http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-4.5but
that does require an extension spec or a proprietary implementation.

There is work underway to standardize some assertion/token grants with this
abstract definition
http://tools.ietf.org/html/draft-ietf-oauth-assertionsand these more
concrete definitions for SAML and JWT respectively
http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer and
http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer

Neither of those directly address the question of other forms of stronger
authentication directly with the AS. However some from of stronger authn
could have been used to acquire the SAML or JWT - maybe an X509 token sent
to an STS. Admittedly that just kind of pushes the problem around and
there's some chicken and egg going on here.






On Thu, Apr 19, 2012 at 4:25 PM, Lewis Adam-CAL022 <
Adam.Lewis@motorolasolutions.com> wrote:

>  Hi Brian,****
>
> ** **
>
> I was also looking at the resource owner credentials flow, but it seems
> limited to username & password … it’s not clear that it would work with
> stronger authentication methods such as RSA.  Thoughts?****
>
> ** **
>
> adam****
>
> ** **
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Thursday, April 19, 2012 5:08 PM
> *To:* Lewis Adam-CAL022
> *Cc:* Justin Richer; oauth@ietf.org
>
> *Subject:* Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token****
>
>  ** **
>
> A browser isn't required. The browser based flows are pretty common with
> OAuth but they are certainly not the only way to get a token.
>
> The resource owner credentials and client credentials grant types are both
> involve only direct communication between the client and the AS. And there
> are also the SAML and JWT grants that allow a client to get an access token
> directly from an AS without a browser being involved.****
>
> On Thu, Apr 19, 2012 at 3:37 PM, Lewis Adam-CAL022 <
> Adam.Lewis@motorolasolutions.com> wrote:****
>
> Hi Justin,****
>
>  ****
>
> There is one thing I have not understood about the whole external browser
> vs. embedded browser guidance … and that is, why is **any** browser
> needed?  Java for example has an HTTP library, and OAuth is RESTful.  So
> why is it necessary to require the web browser at all, whether external or
> embedded?  Why can’t my native client make RESTful API calls to the AS and
> RS natively?****
>
>  ****
>
> Tx!****
>
> adam****
>
>  ****
>
> *From:* Justin Richer [mailto:jricher@mitre.org]
> *Sent:* Friday, April 13, 2012 11:38 AM
> *To:* Lewis Adam-CAL022
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token****
>
>  ****
>
> If the mobile device has a web browser (such as a smart phone), then this
> is pretty easy, and you've got a couple of options.
>
> One of the best options when the token is on behalf of an end user is, in
> my opinion, to use the authorization code flow like this: First, register
> what's called a "public client" with your server -- so you'll get an ID but
> not a client secret. With that client ID, register a custom-scheme callback
> URI, like "myapp://oauthcallback", and register your app on the device as
> the handler for "myapp".
>
> In your application, to start things off, you fire off a web browser to
> the authorization server's authorization endpoint. The user logs in to the
> authorization server through the web browser, approves this copy of your
> app, and gets redirected to "myapp://oauthcallback?code=basdf132". Your app
> grabs the "myapp://" url and plucks the authorization code off the end of
> it. Your app then takes that code and sends it in the background to the
> token endpoint to exchange for a token.
>
> Some key points:
>
> 1) You need to have access to a web browser on the platform, and it's
> considered best practice to push the user to the external browser
> application on the platform instead of embedding one. There are a couple
> paragraphs in the spec's security considerations section that talk about
> this.
> 2) Your app is "public" because you can't publish it with a secret at
> configuration time. It can, however, keep the tokens secret at runtime.
> 3) You need to be very careful with how you store the tokens on the device
> -- they need to be in a trusted space where other apps on the device can't
> sniff them out.
> 4) Another app can try to register "myapp://" and intercept your code on
> the way through, so make sure your codes are all one time use and short
> lived.
>
> None of this is just theoretically possible, people are doing it today.
> What libraries and stuff you'd be after depends wholly on your platform
> (both server and client side).
>
>  -- Justin
>
> On 04/12/2012 03:01 PM, Lewis Adam-CAL022 wrote: ****
>
> Hi all,****
>
>  ****
>
> I’ve been talking to some of you off line about this already, but I need
> some help in terms of implementation.  I would like to use OAuth as a means
> to get either a JWT or SAML token to a client running on a handheld
> device.  This is something that I’m looking to prototype (as part of a
> larger project) beginning this week.  So, it is important to me to
> understand the divide between what is theoretically possible and what is
> actually possible.****
>
>  ****
>
> Anybody aware of any implementations out there, either vendor or open
> source, that I can use for this?****
>
>  ****
>
> Tx!
> adam****
>
>
>
> ****
>
> _______________________________________________****
>
> OAuth mailing list****
>
> OAuth@ietf.org****
>
> https://www.ietf.org/mailman/listinfo/oauth****
>
>  ****
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
> ** **
>

v2.23.0 | Report a Bug | By Email