IETF Logo Mail Archive

Re: [OAUTH-WG] Assertion flow and token bootstrapping

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 15 June 2010 06:56 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E6D53A681F for <oauth@core3.amsl.com>; Mon, 14 Jun 2010 23:56:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.797
X-Spam-Level:
X-Spam-Status: No, score=-0.797 tagged_above=-999 required=5 tests=[AWL=-0.799, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id biyVwer3sBmI for <oauth@core3.amsl.com>; Mon, 14 Jun 2010 23:56:52 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id ECA423A659C for <oauth@ietf.org>; Mon, 14 Jun 2010 23:56:50 -0700 (PDT)
Received: (qmail 9233 invoked from network); 15 Jun 2010 06:56:54 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Jun 2010 06:56:53 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 14 Jun 2010 23:56:54 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Lisa Dusseault <lisa.dusseault@gmail.com>, oauth <oauth@ietf.org>
Date: Mon, 14 Jun 2010 23:56:58 -0700
Thread-Topic: [OAUTH-WG] Assertion flow and token bootstrapping
Thread-Index: AcsCeZuWf+1QUumuS2KElnRLeYFGvwJ3iQ8w
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3EBB68E0@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <AANLkTilYX46pz5qI67nrgYxB_Lf1tx8DZM9YYs-QuT9T@mail.gmail.com>
In-Reply-To: <AANLkTilYX46pz5qI67nrgYxB_Lf1tx8DZM9YYs-QuT9T@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72343B3EBB68E0P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Assertion flow and token bootstrapping
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 06:56:53 -0000

As long as:

- You can provide a URI identifier for the assertion format you are going to use, and
- The authorization server can do something useful with the assertion provided and decide if it should grant an access token

Then sure, you can use the assertion flow for utilizing any other trust framework for obtaining an access token.

EHL

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Lisa Dusseault
Sent: Wednesday, June 02, 2010 10:33 AM
To: oauth
Subject: [OAUTH-WG] Assertion flow and token bootstrapping


I've been trying to understand the use case for the assertion flow (http://tools.ietf.org/html/draft-ietf-oauth-v2-05#section-3.10) .  Conversely, I have a use case for bootstrapping, and I'm trying to understand if the assertion flow is the right flow for that use case.

The bootstrapping use case I have in mind is to allow a client to interact with a related set of services by bootstrapping from client secret to an access token, and then from that access token to other access tokens.  For example, in a "login" interaction the client would get a generic access token.  Later, to use various services -- access to personal data, access to friends' data, attempts to do uploads -- the client would ask the security token server for access to new resources by URI, and if access was granted, receive new access tokens which could be used on those services.  The client secret is not reused very often, and policy is centralized.

This seems similar to other use cases being discussed and so it's possible my main point of confusion is trying to tie this to the assertion flow instead of something else.

The assertion flow has the right number of parties involved, and it could certainly be hacked/extended to do bootstrapping: instead of the client secret, the general session access token could be used, and the "assertion" field can contain anything including the URI of the service that the client now wants.  However I wondered if something less generic could make this more interoperable.

Any thoughts?

Thanks,
Lisa

v2.46.0 | Report a Bug | By Email | System Status