IETF Logo Mail Archive

Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

"Foiles, Doug" <Doug_Foiles@intuit.com> Sun, 09 May 2010 20:07 UTC

Return-Path: <Doug_Foiles@intuit.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CFAF3A684C for <oauth@core3.amsl.com>; Sun, 9 May 2010 13:07:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.73
X-Spam-Level:
X-Spam-Status: No, score=-3.73 tagged_above=-999 required=5 tests=[AWL=0.269, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqubkq0fxcxN for <oauth@core3.amsl.com>; Sun, 9 May 2010 13:07:37 -0700 (PDT)
Received: from mail2.intuit.com (mail2.intuit.com [12.149.175.12]) by core3.amsl.com (Postfix) with ESMTP id 0758F3A67EF for <oauth@ietf.org>; Sun, 9 May 2010 13:07:36 -0700 (PDT)
DomainKey-Signature: s=default; d=intuit.com; c=nofws; q=dns; h=X-SBRS:X-IronPort-AV:Received:Received:X-MimeOLE: Content-class:MIME-Version:Content-Type: Content-Transfer-Encoding:Subject:Date:Message-ID: In-Reply-To:X-MS-Has-Attach:X-MS-TNEF-Correlator: Thread-Topic:Thread-Index:References:From:To:Return-Path: X-OriginalArrivalTime; b=dHtZBUS4osTxQYOJmBuGcVBYBJX0qCKrOgZENvArubgz8Tca2nbQpJXo xXP8ukY1TRs7AEpUsZW505/mdChWZiHdxxvLaeB1Hl+LlC9c/Gn/dhuu/ OriQxs7IGB584JX;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intuit.com; i=Doug_Foiles@intuit.com; q=dns/txt; s=default; t=1273435646; x=1304971646; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to; z=MIME-Version:=201.0|Content-Transfer-Encoding:=20quoted- printable|Subject:=20RE:=20[OAUTH-WG]=20Autonomous=20clie nts=20and=20resource=20owners=20(editorial)|Date:=20Sun, =209=20May=202010=2013:07:23=20-0700|Message-ID:=20<BE42D BBC1969B541915E30C5517382D90484D100@SDGEXEVS07.corp.intui t.net>|In-Reply-To:=20<90C41DD21FB7C64BB94121FBBC2E72343B 3AB46E0C@P3PW5EX1MB01.EX1.SECURESERVER.NET>|References: =20<5DEB74B3E9FA574EAA911DB8167C559E04425EBE@SDGEXEVS12.c orp.intuit.net><C7FCD375.4675%cmortimore@salesforce.com> =20<BE42DBBC1969B541915E30C5517382D9047A164D@SDGEXEVS07.c orp.intuit.net>=20<90C41DD21FB7C64BB94121FBBC2E72343B3AB4 6E0C@P3PW5EX1MB01.EX1.SECURESERVER.NET>|From:=20"Foiles, =20Doug"=20<Doug_Foiles@intuit.com>|To:=20"Eran=20Hammer- Lahav"=20<eran@hueniverse.com>,=0D=0A=09"OAuth=20WG"=20<o auth@ietf.org>; bh=KRG8qI1TE7LOgHXRtmco3Ru8rervLp7qKQ8mejkbfHg=; b=o3vUWDFbcu9M5HlhOWTLrPZuIXBq0MudlDWkEww88jq2G0+RQf94sJ7e M57jUDJcT59ghzj/9URkFhtKbykNpKIqMtDPtqHOo42ORku6gzOBWIpul dVWcZ3c9F3YCzkQ;
X-SBRS: None
X-IronPort-AV: E=Sophos;i="4.52,357,1270450800"; d="scan'208";a="183664987"
Received: from relay-ex.sd.intuit.com (HELO SDGEXBH03.corp.intuit.net) ([172.17.135.77]) by mail2.sdg.ie.intuit.com with ESMTP; 09 May 2010 13:07:25 -0700
Received: from SDGEXEVS07.corp.intuit.net ([172.17.135.1]) by SDGEXBH03.corp.intuit.net with Microsoft SMTPSVC(6.0.3790.3959); Sun, 9 May 2010 13:07:25 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 09 May 2010 13:07:23 -0700
Message-ID: <BE42DBBC1969B541915E30C5517382D90484D100@SDGEXEVS07.corp.intuit.net>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E0C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] Autonomous clients and resource owners (editorial)
Thread-Index: AcrmIscm/BOC6W7iSh+JMT0dgGCAkgAALcx1AAY05pAAC/rNUADksrvwAWctR9AABTLR8A==
References: <5DEB74B3E9FA574EAA911DB8167C559E04425EBE@SDGEXEVS12.corp.intuit.net><C7FCD375.4675%cmortimore@salesforce.com> <BE42DBBC1969B541915E30C5517382D9047A164D@SDGEXEVS07.corp.intuit.net> <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E0C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: "Foiles, Doug" <Doug_Foiles@intuit.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
X-OriginalArrivalTime: 09 May 2010 20:07:25.0033 (UTC) FILETIME=[3DE8C590:01CAEFB3]
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2010 20:07:38 -0000

Thanks for addressing my questions Eran.

For the Assertion Flow I would assume the lifetime of the authorization grant would be the same with or without the refresh token support.  It doesn't seem to me like the overall lifetime of the authorization grant would change based upon the use of the refresh token.

However I certainly do see that the usefulness of the refresh token is very questionable based upon wanting the authorization grant lifetimes to be short for the Assertion Flow.  And providing the refresh token for this flow almost leads the resource provider in granting longer than recommended authorization grant lifetimes ... which ultimately should be avoided.  Is this the point?

Thanks.

Doug    

-----Original Message-----
From: Eran Hammer-Lahav [mailto:eran@hueniverse.com] 
Sent: Sunday, May 09, 2010 10:26 AM
To: Foiles, Doug; OAuth WG
Subject: RE: [OAUTH-WG] Autonomous clients and resource owners (editorial)



> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Foiles, Doug
> Sent: Sunday, May 02, 2010 8:41 AM
> To: OAuth WG
> Subject: Re: [OAUTH-WG] Autonomous clients and resource owners
> (editorial)
> 
> I wanted to poke on the idea of not allowing Refresh Tokens for the
> assertion flow.

How not leaving this up to the server to decide a bad thing? Clearly not all assertions will map directly to the OAuth token and expiration, so the token is already a different trust relationship. The current draft has a SHOULD NOT for refresh token.

> And I am wondering if the assertion flow where the client is acting on behalf
> of a user is on the list of things to be added???

This is a problem with the autonomous grouping, not the flow.

> And I still don't see the corresponding flow in OAuth 2.0 for an OAuth 1.0 - 2
> Legged use case where clients are acting on behalf of a resource owner that
> is not themselves.  Will there be a flow to support this???  I can actually see
> how another type of "end user credentials flow" would work where the
> credential is something different than the username and password.

No. The 1.0 2-legged use-case was really an abuse of the OAuth signature method to make signed requests using a username and password (client credentials) instead of using Basic auth. In OAuth 2.0, you have to go through an additional step: the client first uses its client credentials to get a token (over HTTPS) and it uses that token to make requests (signed or not).

EHL

v2.23.0 | Report a Bug | By Email