IETF Logo Mail Archive

Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

"Foiles, Doug" <Doug_Foiles@intuit.com> Sun, 25 April 2010 17:43 UTC

Return-Path: <Doug_Foiles@intuit.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC68728C112 for <oauth@core3.amsl.com>; Sun, 25 Apr 2010 10:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.192
X-Spam-Level:
X-Spam-Status: No, score=-3.192 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPnWj5yuZ+tD for <oauth@core3.amsl.com>; Sun, 25 Apr 2010 10:43:14 -0700 (PDT)
Received: from mail4.intuit.com (mail4.intuit.com [12.149.175.56]) by core3.amsl.com (Postfix) with ESMTP id 7CA173A6AFA for <oauth@ietf.org>; Sun, 25 Apr 2010 10:35:03 -0700 (PDT)
DomainKey-Signature: s=default; d=intuit.com; c=nofws; q=dns; h=X-SBRS:X-IronPort-AV:Received:Received:X-MimeOLE: Content-class:MIME-Version:Content-Type:Subject:Date: Message-ID:In-Reply-To:X-MS-Has-Attach: X-MS-TNEF-Correlator:Thread-Topic:Thread-Index:References: From:To:Return-Path:X-OriginalArrivalTime; b=jw0OKrWTzOSRqEJspmrgHacA96s8196sETF8Rv3QQYdET1YWeAca2xix QTNq5IHoRuZEELN0vxpI4CeGE3oWOTtfqYzKmEzR70qy4/e3NbQaSRd+P FNCq90OLSmPl1q9;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intuit.com; i=Doug_Foiles@intuit.com; q=dns/txt; s=default; t=1272216892; x=1303752892; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Foiles,=20Doug"=20<Doug_Foiles@intuit.com> |Subject:=20RE:=20[OAUTH-WG]=20Autonomous=20clients=20and =20resource=20owners=20(editorial)|Date:=20Sun,=2025=20Ap r=202010=2010:34:45=20-0700|Message-ID:=20<BE42DBBC1969B5 41915E30C5517382D9046EB117@SDGEXEVS07.corp.intuit.net> |To:=20"Eve=20Maler"=20<eve@xmlgrrl.com>,=0D=0A=09"OAuth =20WG"=20<oauth@ietf.org>|MIME-Version:=201.0 |In-Reply-To:=20<B30B40FB-BD4B-433C-B6E5-7061EE5469CA@xml grrl.com>|References:=20<r2pc8689b661004190833tf46085bayb 92b840acf080bb4@mail.gmail.com>=09<C7F1C6AC.327EE%eran@hu eniverse.com>=09<u2jc8689b661004191006hc3c7fb3eid09feafd5 7d2fd8a@mail.gmail.com>=09<90C41DD21FB7C64BB94121FBBC2E72 3438E5C7F163@P3PW5EX1MB01.EX1.SECURESERVER.NET>=09<o2wc86 89b661004191716o69966d5di900c07737d3be568@mail.gmail.com> =09<90C41DD21FB7C64BB94121FBBC2E723438E5C7F45A@P3PW5EX1MB 01.EX1.SECURESERVER.NET>=09<z2xc334d54e1004200936s57f06de dt8e0e46df3480f8d4@mail.gmail.com><90C41DD21FB7C64BB94121 FBBC2E723438E5C7F533@P3PW5EX1MB01.EX1.SECURESERVER.NET><4 BCDF86C.9080003@lodderstedt.net><90C41DD21FB7C64BB94121FB BC2E723438E5C7F5D9@P3PW5EX1MB01.EX1.SECURESERVER.NET><4BC F6E8F.6080802@lodderstedt.net><9454D8CD-0BF4-44CA-A46A-12 F244E72B22@xmlgrrl.com>=20<B30B40FB-BD4B-433C-B6E5-7061EE 5469CA@xmlgrrl.com>; bh=CSGnOhX0lM2I6XPyydw3ahhlY22gBFOUcQsFu0W6ol0=; b=sHoL7QNXNjNS+DOkxxOFPym4Mv+KShxA2vUnYMscwu64WwEbjeFgKNT8 2+oO4+zlXRcPpzPIstxpN+dFzbYWLRzP49YhWzk0ztbwceXQm1mmiv0FK U95TPg259dpMW+V;
X-SBRS: None
X-IronPort-AV: E=Sophos; i="4.52,270,1270450800"; d="scan'208,217"; a="177996282"
Received: from relay-ex.sd.intuit.com (HELO SDGEXBH03.corp.intuit.net) ([172.17.135.77]) by mail4.sdg.ie.intuit.com with ESMTP; 25 Apr 2010 10:34:46 -0700
Received: from SDGEXEVS07.corp.intuit.net ([172.17.135.182]) by SDGEXBH03.corp.intuit.net with Microsoft SMTPSVC(6.0.3790.3959); Sun, 25 Apr 2010 10:34:46 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CAE49D.991D92EC"
Date: Sun, 25 Apr 2010 10:34:45 -0700
Message-ID: <BE42DBBC1969B541915E30C5517382D9046EB117@SDGEXEVS07.corp.intuit.net>
In-Reply-To: <B30B40FB-BD4B-433C-B6E5-7061EE5469CA@xmlgrrl.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] Autonomous clients and resource owners (editorial)
Thread-Index: Acri8Py35N4mYNa9SHKH9eXXarwvdgBpwK0w
References: <r2pc8689b661004190833tf46085bayb92b840acf080bb4@mail.gmail.com> <C7F1C6AC.327EE%eran@hueniverse.com> <u2jc8689b661004191006hc3c7fb3eid09feafd57d2fd8a@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F163@P3PW5EX1MB01.EX1.SECURESERVER.NET> <o2wc8689b661004191716o69966d5di900c07737d3be568@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F45A@P3PW5EX1MB01.EX1.SECURESERVER.NET> <z2xc334d54e1004200936s57f06dedt8e0e46df3480f8d4@mail.gmail.com><90C41DD21FB7C64BB94121FBBC2E723438E5C7F533@P3PW5EX1MB01.EX1.SECURESERVER.NET><4BCDF86C.9080003@lodderstedt.net><90C41DD21FB7C64BB94121FBBC2E723438E5C7F5D9@P3PW5EX1MB01.EX1.SECURESERVER.NET><4BCF6E8F.6080802@lodderstedt.net><9454D8CD-0BF4-44CA-A46A-12F244E72B22@xmlgrrl.com> <B30B40FB-BD4B-433C-B6E5-7061EE5469CA@xmlgrrl.com>
From: "Foiles, Doug" <Doug_Foiles@intuit.com>
To: Eve Maler <eve@xmlgrrl.com>, OAuth WG <oauth@ietf.org>
X-OriginalArrivalTime: 25 Apr 2010 17:34:46.0782 (UTC) FILETIME=[996211E0:01CAE49D]
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Apr 2010 17:43:15 -0000

I have a bit of confusion on the Autonomous Client Flows … and specifically related to Eve’s comment below that suggests to me that the autonomous client is NOT ALWAYS the resource owner.

 

Can the Autonomous Client Flows support clients that ARE NOT the actual resource owner?  For example for an Assertion Flow where the Subject of the SAML assertion is a user identity (and the resource owner) and not that of the client.

 

Is the intent of the Client Credentials Flow to support something like Google’s “OAuth for Google Apps domains” 2 Legged OAuth use case?  http://code.google.com/apis/accounts/docs/OAuth.html.

 

If the Autonomous Client Flows support clients that can act on behalf a resource owner that is not themselves  … it then seems the resource owner must provide some level of consent outside the OAuth specific flow. 

 

Thanks.

 

Doug

 

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eve Maler
Sent: Friday, April 23, 2010 7:21 AM
To: OAuth WG
Subject: [OAUTH-WG] Autonomous clients and resource owners (editorial)

 

Regarding the second comment I made below: I realized last night that Sections 3.7.1 and 3.7.2 get this more correct, by saying that an autonomous client represents a "separate resource owner". So Section 2.2 definitely needs a slight change, from:

 

"...and autonomous flows where the client is acting for itself (the client is also the resource owner)."

 

to something like:

 

"...and autonomous flows where the client is acting on behalf of a different resource owner."

 

Thanks,

 

            Eve

 

On 21 Apr 2010, at 4:43 PM, Eve Maler wrote:





Tacking this response to the end of the thread for lack of a better place to do it: The name "username" seems not quite apt in the case of an autonomous client that isn't representing an end-user. Would "identifier" be better? (Actually, it sort of reminds me of SAML's "SessionIndex"...) Or would the parameter be reserved for user-delegation flows?

 

Speaking of autonomous clients, Section 2.2 -- among possibly other places -- states that an autonomous client is also the resource owner, but that's not always the case, is it? The client might be seeking access on behalf of itself. (FWIW, I made roughly this same comment on David's first draft on March 21, and he agreed with my suggested fix at the time.)

 

            Eve

 


Eve Maler

eve@xmlgrrl.com

http://www.xmlgrrl.com/blog

v2.23.0 | Report a Bug | By Email