Re: [OAUTH-WG] Report an authentication issue
Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Thu, 28 June 2012 20:13 UTC
Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 031DB11E8098 for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2012 13:13:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.466
X-Spam-Level:
X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzI++Gm9hq-O for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2012 13:13:31 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe001.messaging.microsoft.com [216.32.180.11]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8AD11E80B3 for <oauth@ietf.org>; Thu, 28 Jun 2012 13:13:29 -0700 (PDT)
Received: from mail139-va3-R.bigfish.com (10.7.14.250) by VA3EHSOBE007.bigfish.com (10.7.40.11) with Microsoft SMTP Server id 14.1.225.23; Thu, 28 Jun 2012 20:11:42 +0000
Received: from mail139-va3 (localhost [127.0.0.1]) by mail139-va3-R.bigfish.com (Postfix) with ESMTP id 55F47E0807 for <oauth@ietf.org>; Thu, 28 Jun 2012 20:11:42 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:129.188.136.16; KIP:(null); UIP:(null); IPV:NLI; H:il06gsg01.am.mot-solutions.com; RD:none; EFVD:NLI
X-SpamScore: 0
X-BigFish: VPS0(zzc85fhzz1202hzz8275bh8275dhz2fh2a8h683h839hd25hf0ah)
Received-SPF: pass (mail139-va3: domain of motorolasolutions.com designates 129.188.136.16 as permitted sender) client-ip=129.188.136.16; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06gsg01.am.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.244.181; KIP:(null); UIP:(null); (null); H:CH1PRD0410HT003.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail139-va3 (localhost.localdomain [127.0.0.1]) by mail139-va3 (MessageSwitch) id 1340914300104858_27080; Thu, 28 Jun 2012 20:11:40 +0000 (UTC)
Received: from VA3EHSMHS019.bigfish.com (unknown [10.7.14.235]) by mail139-va3.bigfish.com (Postfix) with ESMTP id 0C36D3C0127 for <oauth@ietf.org>; Thu, 28 Jun 2012 20:11:40 +0000 (UTC)
Received: from il06gsg01.am.mot-solutions.com (129.188.136.16) by VA3EHSMHS019.bigfish.com (10.7.99.29) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 28 Jun 2012 20:11:39 +0000
Received: from il06gsg01.am.mot-solutions.com (il06vts01.mot.com [129.188.137.141]) by il06gsg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q5SK5TpZ009182 for <oauth@ietf.org>; Thu, 28 Jun 2012 16:05:30 -0400 (EDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe004.messaging.microsoft.com [213.199.154.142]) by il06gsg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q5SK5Rjo009179 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Thu, 28 Jun 2012 16:05:28 -0400 (EDT)
Received: from mail32-db3-R.bigfish.com (10.3.81.251) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.23; Thu, 28 Jun 2012 20:11:35 +0000
Received: from mail32-db3 (localhost [127.0.0.1]) by mail32-db3-R.bigfish.com (Postfix) with ESMTP id 60EA0160B7C for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 28 Jun 2012 20:11:35 +0000 (UTC)
Received: from mail32-db3 (localhost.localdomain [127.0.0.1]) by mail32-db3 (MessageSwitch) id 13409142946403_25780; Thu, 28 Jun 2012 20:11:34 +0000 (UTC)
Received: from DB3EHSMHS002.bigfish.com (unknown [10.3.81.233]) by mail32-db3.bigfish.com (Postfix) with ESMTP id F3B314600BF; Thu, 28 Jun 2012 20:11:33 +0000 (UTC)
Received: from CH1PRD0410HT003.namprd04.prod.outlook.com (157.56.244.181) by DB3EHSMHS002.bigfish.com (10.3.87.102) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 28 Jun 2012 20:11:33 +0000
Received: from CH1PRD0410MB369.namprd04.prod.outlook.com ([169.254.12.121]) by CH1PRD0410HT003.namprd04.prod.outlook.com ([10.255.147.38]) with mapi id 14.16.0164.004; Thu, 28 Jun 2012 20:13:16 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Report an authentication issue
Thread-Index: AQHNVN7pP3aOaLD8E0OCNoiB4+A1+JcQJVig
Date: Thu, 28 Jun 2012 20:13:12 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A91A2D1309@CH1PRD0410MB369.namprd04.prod.outlook.com>
References: <CAEEmcpEcNqNHwfVozD-NtfkruiB-v0MTszwNL4cob2rL=QQTSA@mail.gmail.com> <CABzCy2BZLff7EZoWaU+vmCWCgXUSSxn3x-evm-FwzKdnx7QeMA@mail.gmail.com> <1339792496.52712.YahooMailNeo@web125501.mail.ne1.yahoo.com> <CABzCy2APCsGU9N00K4XYoa4Scxno51b_E=8MKD9MzZk6zxtc1Q@mail.gmail.com> <BDF3CDE9-B411-4366-9C5F-C3EA17938C21@matake.jp> <C05B5190-B0B7-42AD-A6DB-FABF190D2674@gmail.com> <59E470B10C4630419ED717AC79FCF9A9108898EE@BL2PRD0410MB363.namprd04.prod.outlook.com> <4FE223E4.6060307@mitre.org> <4FE226BC.6010403@alcatel-lucent.com> <59E470B10C4630419ED717AC79FCF9A910889AB5@BL2PRD0410MB363.namprd04.prod.outlook.com> <CABzCy2CLe_DVcxiD1EasuhtG1_6+6tCtV5TckZ80fvqyjan_bA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A917052BC8@SN2PRD0410MB370.namprd04.prod.outlook.com> <4FE37D38.1030407@gmail.com> <CABzCy2A_zJ3vaauoo6VwsmLWsTesdTujuQ4dHdVpc5Nh==iEFg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2C8949@CH1PRD0410MB369.namprd04.prod.outlook.com> <CABzCy2DzmNgmMALNfc1qp95fwD2WULb-49DkyLiZnjXngAmaPg@mail.gmail.com>
In-Reply-To: <CABzCy2DzmNgmMALNfc1qp95fwD2WULb-49DkyLiZnjXngAmaPg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [184.78.105.93]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A91A2D1309CH1PRD0410MB369_"
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%GMAIL.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Report an authentication issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2012 20:13:33 -0000
Hi Nat, Starting from a standalone use case would be good. My impression (I may be wrong) is that your requirement is to be able to (1) Log the user identifier of the person who is accessing the resource at the resource server for the audit etc. purposes. <acl> yes ... that *and* to authenticate the user in the first place. So again, my access_token will actually look like the Connect id_token. I would even prefer to use the id_token, except that it violate the spirit of Connect to pass the id_token to the RS (e.g. it was only meant for consumption by the client). My problem space can be distilled to something very simple. - We come from a SOAP API world where we use WS-Trust to secure the SOAP API calls. WS-Trust makes it very simple for a WS-* client to collect the user's primary credentials, exchange it for a (SAML) bearer token via the STS, and embed that bearer token in SOAP-based API calls to the WS-* server. This is most definitely *authentication* - We are moving to a RESTful API world. I just want to be able to do the same thing as above. How do I enable my REST-based client to collect the user's password, exchange it for a (JWT) bearer token via the STS, and embed that bearer token in RESTful API calls to the REST-based server, such that the REST-based server can *authenticate* the client? (2) Do the holder of the key so that the RS is sure that the person accessing with the access token is really the person. <acl> that would be nice, but most of my users will be using passwords in the beginning, so this is not an option. I'm using the literal definition of bearer token here, taken straight out of the OAuth bearer token spec, e.g. "Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key)." (3) In addition, the RS may not be able to talk to AS directly. [Well, this is one of my use case anyways.] <acl> Right ... this is why I am now looking at structured JWTs. (4) In some cases, the client may not be able to communicate with AS directly at the time of RS access. [ditto] <acl> Right again, we have disaster scenarios to think about where the AS might not be reachable. but this is a use case for next steps. Trying to walk before we fly here :-)
- [OAUTH-WG] Report an authentication issue rui wang
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Francisco Corella
- Re: [OAUTH-WG] Report an authentication issue rui wang
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Francisco Corella
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue nov matake
- Re: [OAUTH-WG] Report an authentication issue Kristofor Selden
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Paul Madsen
- Re: [OAUTH-WG] Report an authentication issue Hannes Tschofenig
- Re: [OAUTH-WG] Report an authentication issue Chuck Mortimore
- Re: [OAUTH-WG] Report an authentication issue prateek mishra
- Re: [OAUTH-WG] Report an authentication issue Torsten Lodderstedt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Torsten Lodderstedt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Antonio Sanso
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Dick Hardt
- Re: [OAUTH-WG] Report an authentication issue Mike Jones
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Dick Hardt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Antonio Sanso
- [OAUTH-WG] Inadvertent cross-authentication throu… Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley