IETF Logo Mail Archive

[OAUTH-WG] Tenancy in OAuth

Jaap Francke <Jaap.Francke@mendix.com> Tue, 12 January 2021 16:20 UTC

Return-Path: <Jaap.Francke@mendix.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08F1B3A0ADF for <oauth@ietfa.amsl.com>; Tue, 12 Jan 2021 08:20:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mendix.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gn2GzQEHff26 for <oauth@ietfa.amsl.com>; Tue, 12 Jan 2021 08:20:36 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40089.outbound.protection.outlook.com [40.107.4.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61E6A3A0AD6 for <oauth@ietf.org>; Tue, 12 Jan 2021 08:20:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GJjTqlkDP+UHZwSfVeSvMYAM/h81PapkEX7mZ0fRPI5z/Rn/Y4YL886GyG7d3+7VBFghXGGUiS32J6fXP8K4mqNW8Z8zdNjtRoq7OOxztslnBYEUQ/MMVJ4/Nh7Ul2J//Au09B5mDAV+qMuApBnwI1jX1RHznFi+ccejx5ab5bDHZbV43pHSPsC927D8NXsCKdN1eqML4mxcoVbvHUj/wVyMvfwPZQkR7iHrkB6JRgJhFHSz1D8fgaFOrOzcm+3bTxSzYGkUPSqM2qRETH8tt7nDHn2PbBF8zkg1DFVuE9qolNhrzMciDi+5xbmeXgPqWbdZcIDQ1vBLqbNnh2f3SQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GMZgJqEw9CZmf3S0402JdtMiu6hwH+zTUS26v9CbaxQ=; b=egdcxKC1qSDJ0suAp7u7q3YcHeDgNdnitlW/WmE3NI0pZ+GcZfmSQH36rcEziRkIxYuj4NMw+IIKxxp6AjcvbhF85UEKwnNh5PfMrvVpGz9rQev4mdg6S0813QtsTUvBU1mxMMSWXBLO//u/avyRDcgeobbZ3NFWg6RUAdKwadNE9K4tXA6h1QNR4wTl//RuJi/zGefJYMyxKVhCzR1MpzoK75eUymD5gWJZGbTsHR2I69/oz3I7TVXoQVlsdDuIPBGFArwPsgETgp49a1N0DCMexSc6YmbwnMCGlQooXRXrXlU3jii2gndX21xjv5oBTopFoBzloXF1MQ3I5kdT0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mendix.com; dmarc=pass action=none header.from=mendix.com; dkim=pass header.d=mendix.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mendix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GMZgJqEw9CZmf3S0402JdtMiu6hwH+zTUS26v9CbaxQ=; b=b+4II8+JMoo3OHXGbG6yqXlOHhDy/cYAu0h7xVChp1kCWeR/xFyzBjT0vum7SSubfu0dQi3Y9HnLyxcuccqIp3gX+wMaj4ui0yAfnd2z0xSKvpVNUm7iUsn6ZSB8jj9GXl2UfBicXi6EoOU1fAD3GjvfgxClmjhwzPZCcbQuLe8=
Received: from AM0PR06MB4180.eurprd06.prod.outlook.com (2603:10a6:208:7a::24) by AM0PR06MB6098.eurprd06.prod.outlook.com (2603:10a6:208:16c::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.9; Tue, 12 Jan 2021 16:20:33 +0000
Received: from AM0PR06MB4180.eurprd06.prod.outlook.com ([fe80::489b:ed4b:779c:37e]) by AM0PR06MB4180.eurprd06.prod.outlook.com ([fe80::489b:ed4b:779c:37e%5]) with mapi id 15.20.3742.012; Tue, 12 Jan 2021 16:20:33 +0000
From: Jaap Francke <Jaap.Francke@mendix.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Tenancy in OAuth
Thread-Index: AQHW6P7Zj57BpwaMUkmxUfMvbyRPgg==
Date: Tue, 12 Jan 2021 16:20:32 +0000
Message-ID: <A643E85A-B4B0-437B-AB76-80BF3F795983@mendix.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.41.20091302
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=mendix.com;
x-originating-ip: [86.84.216.78]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9427ecad-5e6d-497b-fb78-08d8b715fc93
x-ms-traffictypediagnostic: AM0PR06MB6098:
x-microsoft-antispam-prvs: <AM0PR06MB60981E3A87E2AD40A7BA155CE4AA0@AM0PR06MB6098.eurprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GisEu1V5kf69nkJm9Hy+RSYB5Al+4g4azZDmFw0dKEbh5cs9xeknR7YCl2mlEnrOEB4LBCSUcqHte7s8zPFVzPvkfamOp/w7sgHs3gr1ixS8uLek5Ee6174+m2a92Z+rjDEy4VsnZPJAfgYlu78aRFI6xVGJg65jXxeutJstnaN2CEu5FLpeWTLb69hxEoeDjhcjwy0RcatFvCFwUe+Y8pF3tDXzY40NLtWfVQJQwyiFKib0ohfe3LMDnIQ16FiCq7VOivNPBV+yV/VRualJ0DWsoArwXmbrwL5M74Ne9yvP/F+Z20VxIIFpTgQ5bXHQpiYSoVL7EzcPzbPqZZn+/6j29bxF7xQVEFuDp0YQW9XLh3uMDLfWoP6oh7PhqChK9G0Y+hHrCqej6helPGvvFbi6ITFimiS2ZcQzeX6b6et18etkSl9JRZdiko1dJAZE14++dvuCmW8EVXsbz801iA6pSerEFhLrvCpCN1wGqJ1vVsmP1Vi96XM1yb2TcVvAyWlsRn7QzIFTxoLzrYvIgw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR06MB4180.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(3480700007)(5660300002)(71200400001)(66556008)(64756008)(66446008)(66476007)(76116006)(498600001)(66946007)(36756003)(33656002)(66616009)(26005)(8676002)(99936003)(186003)(8936002)(6486002)(4744005)(6506007)(6512007)(166002)(86362001)(6916009)(2616005)(2906002)(7116003)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: zf20oGStaRPTmpPAM3xbLD94VFYulSfo/wBhsgCgP15qMrS5GygYZ2odd8nZZDrNlo2V14V+Fx95k5jIfj9GwJy8EhXOO9Bd/a9xLdslkQ/4ahqqvoTDsPJ4QTrA5fX8g7cOQOHFMvWOKCFC3XISfbMeyLcuJTyKQjGkJXbsywwhQrQE7BtRmBx8CbyWRB/xXLL/vKJUzoimvljU0wu/RfeILy3xHrbrZS2z7cdR9KbMpk/Y2HSnnR41HB6tfwbphuasaTvvLfCqipaJXMAhBHhCW/c9vXwV4xuK3J3fV+mg5D0W4KrDWj8IsAEmjQu3A24byIoqDVPTOCkH9wdvuMrojEE5BAjvgPAfq+lqM5ne+3O7fYOuNQUzMEr3T08nRuPySwlHyFvIRjQ4bnH2ai1foAMgzSyl3/cjYUYcAJXDOJBFfsQJ1RvHBto8BFCrQ3Bq1PwveLwkfdra66DZ/VxGZu5og11jvH8Ja3QJl8dMpMFQvFCm2h65E3YIgINs3EgbVDXmUHAwMU0Oqbqh3rCWz9FbvNSwUd56ZxNAojjKLU6Rl+URY6du3ZlAgqKVqJ63/1Ph992PGwGArRBYEx3bbGajbUu1ly0ha4Fmyfl9jK+cUqKrVpdERgvB31fLD13Jlj3qHKEU/GgtGF/yPSqbgOhmx+351OzRoGwUczl8BTQW/ICNjeDNRA2Wq4+MosNdt+EwOYBGi2tBo8HJYxlqKXTwWuJsiEr73otpEYQTnommeh8Kiy33RVDVE5EYMbwJ4EJwSAE7ca1A/NLhZGdLb0Up5ml+VM5FR50kPeKu8LWR/DXLgmqs+G7AXerxSPXrXN2Onhu+HQ/LOwOm714zkoEGq0xsH3y1i0LwJKGD1phO4LMZte+D7tDZpWYB/ANCnVxrnPN57Jsv15uFrtofk9dxlvpJ8XQYKhI2sN2293WP6h17yXaZasXTnrU7ZnMyAQn6EPi7oz/JQ/mCR2G1MTbPh33xc5ECvc7FeWNcPHzLUlZemMSqLdw6M5RF
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_A643E85AB4B0437BAB7680BF3F795983mendixcom_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: mendix.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR06MB4180.eurprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9427ecad-5e6d-497b-fb78-08d8b715fc93
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2021 16:20:33.1388 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b4e3c78d-8e3b-46d8-bc56-5540da23ba4d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8KoBUwd9RvbFUPA91jeJgiyJALYk/QFOymaZ0t/AnOds1+Ye5bCYDLgS0r+0sbgFhLpuw9NqX6QBAsuhvzpKmg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR06MB6098
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9A72T7__PhpcVkHqDrcWkRUJSvI>
Subject: [OAUTH-WG] Tenancy in OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2021 16:20:39 -0000

Hi,

I’m looking into the topic of tenancy. A multi-tenant service can be considered as an OAuth Resource Server managing resources of different tenants.
An AS makes authorization decisions and communicates these using scopes, so one way would be to ‘encode’ the tenant into the scope values.
Another line of thought is to somehow bind/restrict an acces-token to a certain tenant, leaving the set of scopes being used more static.

My question is whether this has been a topic that has been addressed in the OAuth working group? Any common practice or draft?
Thanks in advance for your replies.

Kind regards,

Jaap Francke
Product Manager Identity
+31(0)641495324
mendix.com
[signature_827714327]<http://www.mendix.com/>

v2.23.0 | Report a Bug | By Email