Re: [OAUTH-WG] Distributed OAuth interim meeting summary

Dick Hardt <dick.hardt@gmail.com> Thu, 01 February 2018 19:16 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 277B712EC79 for <oauth@ietfa.amsl.com>; Thu, 1 Feb 2018 11:16:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAKXammfXvu6 for <oauth@ietfa.amsl.com>; Thu, 1 Feb 2018 11:16:09 -0800 (PST)
Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7009212ECA0 for <oauth@ietf.org>; Thu, 1 Feb 2018 11:15:55 -0800 (PST)
Received: by mail-pf0-x234.google.com with SMTP id e11so15953297pff.6 for <oauth@ietf.org>; Thu, 01 Feb 2018 11:15:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4w8BU01pagUBXfJaJU8I+hhVl+ai4yPTsqGK7x2893E=; b=t5KJNekodh6Y5Vj2s4eKjQc2ENT5KREMVW57xSD4b55AI2REhoEs133tqWp7KnztV6 sBich3YQSDUJiLZacZFsZ8SBS/tGszOs3j6CDvCNL/hU+khLvdWoPi9oYy9EmLiWtOVI fFnXnLl5bVbYhyXTOohjaF8gaEcUxhc2YO2axGEqPYDDd8eZBZcwKu8gtT5F1SraO2Mq khelJidCTDG1HLD20mNCW4Tj21PJsnD43Tz4ikenXs2UNZusRSkkssgHHxjvRYBbM51+ ZiH3G6fbwFWf8JY2VdClbDBG+Nk43aGtGaK1sJvjPXQkPjIM02pBInZkuRF7Q2UU2Bnz 6r+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4w8BU01pagUBXfJaJU8I+hhVl+ai4yPTsqGK7x2893E=; b=WWxKhaEbAW+k19kvoFaGET+2ZufmM+Nn9cA2cMGGBqQQf1fF3Ply+aiIW9cIbOaMjt leOWR/SE1MWyqR2ht+ssURkUx5D3Y4f4rDR4RwqTGPOxUjvWrybfi12hcUybSv7VBdqq cvcqj6pW4Xb91e+C5KxlYl4ZgynTnRFcstFWE6fOzW3vHLs9szQz0gbBKObwsxScKkM/ palraMbQ5j6o4VribVqFeNMuFDjDawEfp7Fbx8nKYpb9sPG9m429/0WAVs/6MQ0hkA1P LKm/ckL4OGMpx0NPqTCQG9adsM6IfivlIGpBAJ/9leSRkjJIgQjS8YgEcVe5Od+gEvSU ru+w==
X-Gm-Message-State: AKwxyteqiiooOlU0VOIegEOEk/poifCqLQMUSNfwW4Y32HN5EK+Znlvf cSrdrBLRSraJrDXd23XxomWeRwk5pKBsW6PlDvA=
X-Google-Smtp-Source: AH8x226MWGiyTiq9AcfGcTyhFOX0//UP8MwZCS3lhXsUoqOlIX50KGtd8KzLFESwkozQXZzAG2Mb0m5vkvH3ChtOVFo=
X-Received: by 10.98.141.25 with SMTP id z25mr37609682pfd.165.1517512554858; Thu, 01 Feb 2018 11:15:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.165.33 with HTTP; Thu, 1 Feb 2018 11:15:34 -0800 (PST)
In-Reply-To: <CAGL6epKk1a_4POp2rBmDuC5uWq6nLKeorzbd5E990iULbaUwcQ@mail.gmail.com>
References: <CAGL6epKk1a_4POp2rBmDuC5uWq6nLKeorzbd5E990iULbaUwcQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 1 Feb 2018 11:15:34 -0800
Message-ID: <CAD9ie-uxp5TcTO59XYv=bucMpfEsmoPz+42mpOLMLGs1i8QULg@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>, Nat Sakimura <sakimura@gmail.com>, Brian Campbell <bcampbell@pingidentity.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/alternative; boundary="94eb2c0a4dc8c64e2505642b6c5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/43UoxQbx3WLKuFnvco9oTnV5VdE>
Subject: Re: [OAUTH-WG] Distributed OAuth interim meeting summary
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2018 19:16:12 -0000

There seemed to be interest in this problem area from a number of people.

While the other referenced drafts solve aspects of the problem, the
Distributed OAuth ID is a full solution to a class problems, but may be
overly prescriptive in aspects. Here is how I see the different aspects of
the problem:

How does the resource prove its identity?
How does the resource signal it's authorization server?
How does the client signal which resource it wants access to?
How is the identity of the resource represented in the access token?

Am I framing the problem in a way that makes sense to the others of the
other specs?



On Tue, Jan 16, 2018 at 8:07 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
wrote:

> Dick presented the attached Distributed OAuth slides, which is the same
> slides he presented
> during the IETF meeting in Singapore.
>
> Eve presented the attached UMA slides, which seems to have a wider scope
> that covers
> Federation of AS servers, but shares some of what is in the Distributed
> OAuth draft.
>
>
> The team then discussed the scope of the authorization: *host level* vs
> *granular*.
>
> It seems that there is a disagreement on the proper authorization scope,
> and that
> there are few other documents that discuss this same idea that need to be
> taken
> into considerations:
>
> * OAuth Response Metadata
> https://tools.ietf.org/html/draft-sakimura-oauth-meta-08
> * Resource Indicators for OAuth 2.0
> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
> * OAuth 2.0: Audience Information
> https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>
>
> The decision is to continue the discussion on the mailing list, and take
> into considerations the
> UMA solution and the above drafts.
>
> We might schedule another interim meeting to continue that discussion to
> try to come to a decision on the way forward before London.
>
> Regards,
>  Rifaat
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>