Re: [OAUTH-WG] JWT binding for OAuth 2.0
Prabath Siriwardena <prabath@wso2.com> Tue, 14 April 2015 22:02 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6502B1A86E0 for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2015 15:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.368
X-Spam-Level:
X-Spam-Status: No, score=-1.368 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QqWGVJcc2S17 for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2015 15:02:53 -0700 (PDT)
Received: from mail-vn0-x22d.google.com (mail-vn0-x22d.google.com [IPv6:2607:f8b0:400c:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D3361A7D85 for <oauth@ietf.org>; Tue, 14 Apr 2015 15:02:53 -0700 (PDT)
Received: by vnbf62 with SMTP id f62so8793883vnb.13 for <oauth@ietf.org>; Tue, 14 Apr 2015 15:02:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=n98mAK/0LAlu6pOqhLX4BcH+zqgTtXFKBzDb6LuALEk=; b=Pth82yE+Ly//nML9L3MpSe5swdFoBEirdx+V6lvfJ5NZ29DZqtgl3ZZoTQDGi4NRYC XMm5es1NPd8FvzauDM2oSjg6x2QKzc9fKthIkUZ9ScKlL+iIH7LY4sgS7JUMdC1jP702 SxfU91NjEcdjFBC54PNeOEWLGpIsDGnkZerrU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=n98mAK/0LAlu6pOqhLX4BcH+zqgTtXFKBzDb6LuALEk=; b=DewoTQCdgJez6+RdPxAggLKWv4aypLIHsA+/dB634+gsCO3JVHYvhd0S+nxYYr3BI2 zsJkE+JRBwbZRi7JM2GoY4AjM0W5j0IMDN1KuSTPuQXdU/AxB8Y4n6N1NkPHD94TxPU/ 1KBJyMWSzP1ENzGqyDRIxll33jR4xav974fX7G83vGXA7ev9juM/BRemzEyOuARy98Cv 8OB3sIMhSMfLG4hxqsvyrOQlzH5nLMeWnzL8CjcS1TzdwKSn+KwdFW2ujP3KVPX2rxjN WcBkArLB7InV82poOxDbkINNmoaiPijliwf6AK6E5PRyP1kn3E40JaGaoOYC7/H5JklD 5Cag==
X-Gm-Message-State: ALoCoQn5GYtF/00tA0PdAJVQMN1zyCnloPEgXxkEwCljS0ndEgM+iW1LyodMRUc3eJwbjvH+W518
MIME-Version: 1.0
X-Received: by 10.60.15.133 with SMTP id x5mr17987820oec.80.1429048972714; Tue, 14 Apr 2015 15:02:52 -0700 (PDT)
Received: by 10.202.72.198 with HTTP; Tue, 14 Apr 2015 15:02:52 -0700 (PDT)
In-Reply-To: <422C5670-7D2D-4E1C-9E06-74CCB9054260@ve7jtb.com>
References: <CAJV9qO-PsiNOdfBAf9k0VJ7+eGkE_g_gbygdCbGMv2UT56Ld=g@mail.gmail.com> <A0FFB94C-1EDB-41B9-B1E2-6943B078145F@ve7jtb.com> <CAJV9qO8KJk07Hs7X0tE2UKxeQNA3XaQO2uOF5xfVz0eDd8RgrA@mail.gmail.com> <422C5670-7D2D-4E1C-9E06-74CCB9054260@ve7jtb.com>
Date: Tue, 14 Apr 2015 15:02:52 -0700
Message-ID: <CAJV9qO-u8dRB9Rs5Le2GyiVa+eS7U_3_mAAn=5qZz7HQLL=qdw@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="089e014945c062be9d0513b664ac"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/8WQTT1B0iLLXPkLiDFnr-VK3NXg>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 22:02:55 -0000
It can be a JSON payload over JMS or even MQTT.. I have seen some effort to create an MQTT binding for OAuth 2.0 - but then again for each transport we need to have a binding.. But - creating a message level binding would be much better IMHO.. Thanks & regards, -Prabath On Tue, Apr 14, 2015 at 2:55 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Most of the pub sub things I have seen use HTTP transport. Do you have a > pointer to the protocol? > > On Apr 14, 2015, at 6:48 PM, Prabath Siriwardena <prabath@wso2.com> wrote: > > Thanks John for the pointer - will have look.. > > I am looking this for a pub/sub scenario.. Having JWT binding would > benefit that.. > > Also - why I want access token to be inside a JWT is - when we send a JSON > payload in this case, we already have the JWT envelope and the access token > needs to be carried inside.. > > Thanks & regards, > -Prabath > > > > > > On Tue, Apr 14, 2015 at 2:41 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >> There is a OAuth binding to SASL >> https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19 >> >> Google supports it for IMAP/SMTP, I think the latest iOS and OSX mail >> client updates use it rather than passwords for Google. >> I also noticed Outlook on Android using it. >> >> The access token might be a signed or encrypted JWT itself. I don’t know >> that wrapping it again necessarily helps. >> >> Yes we should have bindings to other non http protocols. >> >> Is there something specific that you are looking for that is not covered >> by SASL? >> >> John B. >> >> >> >> On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena <prabath@wso2.com> >> wrote: >> >> At the moment we only HTTP binding to transport the access token (please >> correct me if not).. >> >> This creates a dependency on the transport. >> >> How about creating a JWT binding for OAuth 2.0..? We can transport the >> access token as an encrypted JWT header parameter..? >> >> >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 >> >> http://blog.facilelogin.com >> http://blog.api-security.org >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > > > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
- [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Bill Mills
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena