Re: [OAUTH-WG] Oauth Server to Server
Chuck Mortimore <cmortimore@salesforce.com> Tue, 24 September 2013 18:43 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DDB621F9C4C for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 11:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.832
X-Spam-Level:
X-Spam-Status: No, score=-0.832 tagged_above=-999 required=5 tests=[AWL=-0.311, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYWGPK6mVbpn for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 11:43:51 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id E979211E80E4 for <oauth@ietf.org>; Tue, 24 Sep 2013 11:43:48 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id hn9so4288241wib.5 for <oauth@ietf.org>; Tue, 24 Sep 2013 11:43:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/w0+k81ouE5n/+I0QLjSjDSdJMQizyYU+e3b6ACXbWU=; b=bzfLIWdntSVX6xgTgha5YoNA1+xtU51cXQsSjT26/GcQz2OJ47p7MLHmnJjcjt3isR l3bBgIWdzMcF87kuvS4txfQ9m2E2YEtDD9WV+D2U9ZKVZWgmpx/KtdB04CHoNXHD//vG 7nMt4WhKjaIDYl6VgmtxPAVT56s5W/KHYdnsxez3w9342K88YOqcYC9mRnK0TC48vVdY +JeIElYbuqxvQqAnPkBx1LjCEaTIJWX6D9Te0qCslVWHFNrAhAKdGRVN3k/U1tCLdL4v Axp4UHWPnQSgC/i3K9JWfNXsxALaOuBnPK70P2I0aF85XDd0pLcKBYivpwzgGWtF7qWp 4Mlg==
X-Gm-Message-State: ALoCoQnO8PpmB3J/5VJOuMnN2xlxxuni/fxnnjBAYQeWtH01y3P8JAf981TYdijEQ74hHxwFcGgD
MIME-Version: 1.0
X-Received: by 10.180.187.236 with SMTP id fv12mr10982984wic.20.1380048227814; Tue, 24 Sep 2013 11:43:47 -0700 (PDT)
Received: by 10.217.85.200 with HTTP; Tue, 24 Sep 2013 11:43:47 -0700 (PDT)
In-Reply-To: <EDA1F2F2-875B-4A6C-9330-383F903C4471@adobe.com>
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <CA+k3eCSVwT15wBwuCZNy1EuiVOSwVg+TThVvWnbwZ1wHVvfA-A@mail.gmail.com> <7558541E-3517-4F71-A049-6143D4247738@adobe.com> <1510634430014420341@unknownmsgid> <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com> <CA+wnMn8gV-eZtQNvQ4-EPXS8-M2Jn1mpkLgUJ4NHB4BHYEyLZw@mail.gmail.com> <EDA1F2F2-875B-4A6C-9330-383F903C4471@adobe.com>
Date: Tue, 24 Sep 2013 11:43:47 -0700
Message-ID: <CA+wnMn-pbCFoaXqdhE2oJY3Db14ViroN7_axmnsR+D7_yYqEkQ@mail.gmail.com>
From: Chuck Mortimore <cmortimore@salesforce.com>
To: Antonio Sanso <asanso@adobe.com>
Content-Type: multipart/alternative; boundary="001a11c25cec64612804e7258411"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 18:43:55 -0000
Open to how it can be improved. What information do you think would be helpful? ( we may be too close to the situation to know what's missing ) On Tue, Sep 24, 2013 at 11:38 AM, Antonio Sanso <asanso@adobe.com> wrote: > Hi Chuck, > > On Sep 24, 2013, at 6:56 PM, Chuck Mortimore <cmortimore@salesforce.com> > wrote: > > What you're describing is exactly what the JWT bearer flow specs out > > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer > > We've got the exact same flow, and there are other implementations out > there. > http://login.salesforce.com/help/doc/en/remoteaccess_oauth_jwt_flow.htm > > > > thanks this is indeed the same :) What it looks to me though is that the > information contained in the second link you shared ( > http://login.salesforce.com/help/doc/en/remoteaccess_oauth_jwt_flow.htm) > are complementary to the jet bearer spec draft. > > People that will only read that spec would need to figure out all on their > own . Is there any chance the oauth bearer draft will cover the actual use > case as well or it would be too much ? > > Regards > > Antonio > > > > On Tue, Sep 24, 2013 at 8:17 AM, Antonio Sanso <asanso@adobe.com> wrote: > >> Hi chuck, >> >> >> On Sep 24, 2013, at 4:57 PM, Chuck Mortimore <cmortimore@salesforce.com> >> wrote: >> >> I'm not sure I understand your point here. I don't believe there is >> anything custom or special about the google implementation here vs JWT. >> It looks identical to our implementation. >> >> Can you elaborate? >> >> >> sure. >> >> What is novel IMHO in the Google approach is not the bearer format , that >> is still JWT (or JWS in this case) but the overall scenario. >> >> As I see OAuth 2 is really good to cover use cases where there is human >> interaction (so an user namely the resource owner can provider username and >> password to the AS but not to the client and get back the Bearer Token). >> This is obviously covered from [2] and [3] namely Authorization Code >> Grant and Implicit grant flow. >> >> When there is not human interaction involved what RFC6749 offers is the >> already cited Resource Owner Password Credentials Grant that IMHO is a no >> go since it required the resource owner to share his password with the >> client. >> >> The way as Google offers to solve the same situation (namely obtain , or >> create in this case, a bearer token without having the resource owner >> password) is using asymmetric cryptography. What is happening is that >> quoting >> >> "During the creation of a Service Account, you will be prompted to >> download a private key. Be sure to save this private key in a secure >> location. After the Service Account has been created, you will also have >> access to the client_id associated with the private key." >> >> An alternative mentioned from John Bradley previously is that clients can >> securely generate key pairs but in terms of security would be identical. >> >> I hope is a bit clearer now :) >> >> regards >> >> antonio >> >> >> [2] http://tools.ietf.org/html/rfc6749#section-4.1 >> [3] http://tools.ietf.org/html/rfc6749#section-4.2 >> >> >> - cmort >> >> On Sep 24, 2013, at 5:57 AM, Antonio Sanso <asanso@adobe.com> wrote: >> >> Hi Brian, >> >> thanks a lot for your pointer. >> >> What the custom Google flow provides more than the oauth jwt bearer draft >> is IMHO an explicit way to build JWT without any 'human interaction' so a >> server can handle the construction of an expired JWT bearer token on his >> own. >> >> This can of course be figured out by any implementer (as the Google folks >> obviously did) but it would be nice to provide this black on white on a >> spec IMHO >> >> regards >> >> Antonio >> >> >> On Sep 24, 2013, at 2:35 PM, Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >> Might this http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer be >> what you're looking for? >> >> >> On Tue, Sep 24, 2013 at 6:08 AM, Antonio Sanso <asanso@adobe.com> wrote: >> >>> Hi *, >>> >>> apologis to be back to this argument :). >>> >>> Let me try to better explain one use case that IMHO would be really good >>> to have in the OAuth specification family :) >>> >>> At the moment the only "OAuth standard" way I know to do OAuth server to >>> server is to use [0] namely Resource Owner Password Credentials Grant. >>> >>> Let me tell I am not a big fun of this particular flow :) (but this is >>> another story). >>> >>> An arguable better way to solve this scenario is to user (and why not to >>> standardise :S?) the method used by Google (or a variant of it) see [1]. >>> >>> Couple of more things: >>> >>> - I do not know if Google would be interested to put some effort to >>> standardise it (is anybody from Google lurking :) e.g.Tim Bray :D ) >>> - I am not too familiar with IETF process. Would the OAuth WG take in >>> consideration such proposal draft?? >>> >>> Thanks and regards >>> >>> Antonio >>> >>> [0] http://tools.ietf.org/html/rfc6749#section-4.3 >>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > >
- [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Brian Campbell
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Bill Mills
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Phil Hunt
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Justin Richer
- Re: [OAUTH-WG] Oauth Server to Server Todd W Lainhart
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso