Re: [OAUTH-WG] Using Oauth2 token to SOAP web services
Grant Yang <guang.g.yang@oracle.com> Mon, 19 March 2012 04:15 UTC
Return-Path: <guang.g.yang@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF96821F851B for <oauth@ietfa.amsl.com>; Sun, 18 Mar 2012 21:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g5V1mVZNnR6G for <oauth@ietfa.amsl.com>; Sun, 18 Mar 2012 21:15:48 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 7846121F8598 for <oauth@ietf.org>; Sun, 18 Mar 2012 21:15:48 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q2J4Fk4k006609 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Mon, 19 Mar 2012 04:15:47 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q2J4FkC5024601 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Mon, 19 Mar 2012 04:15:46 GMT
Received: from abhmt117.oracle.com (abhmt117.oracle.com [141.146.116.69]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q2J4Fko0031578 for <oauth@ietf.org>; Sun, 18 Mar 2012 23:15:46 -0500
MIME-Version: 1.0
Message-ID: <12509c43-163e-43a6-bbf3-60d6daa1db43@default>
Date: Sun, 18 Mar 2012 21:15:45 -0700
From: Grant Yang <guang.g.yang@oracle.com>
Sender: Grant Yang <guang.g.yang@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
References: <1db661c5-2e54-470e-8104-ee8e7ae10e86@default> <A8BFFBB5-9912-468C-AB42-702DA368D59F@oracle.com>
In-Reply-To: <A8BFFBB5-9912-468C-AB42-702DA368D59F@oracle.com>
X-Priority: 3
X-Mailer: Oracle Beehive Extensions for Outlook 2.0.1.6 (510070) [OL 12.0.6607.1000 (x86)]
Content-Type: multipart/alternative; boundary="__1332130545952224456abhmt117.oracle.com"
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-CT-RefId: str=0001.0A090205.4F66B2F3.00E1,ss=1,re=-2.300,fgs=0
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Using Oauth2 token to SOAP web services
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 04:15:51 -0000
Thank you very much Phil! The thing is, the Oauth spec just mentioned putting the Access Token into HTTP header “Authorization”. I don’t think it applies to SOAP as this header is not visible from SOAP stack perspective. So, when we talking about the soap header, are we talking about the header used by WS-Security? Could you please be kindly providing me one example on putting the Access Token into SOAP header and let me know which product is currently using this mechanism? Thanks a lot, Grant. From: Phil Hunt Sent: Thursday, March 15, 2012 11:53 PM To: Grant Yang Subject: Re: [OAUTH-WG] Using Oauth2 token to SOAP web services Grant, You put it in the soap header of course in the same spot as any other credential. :-) Phil @independentid HYPERLINK "http://www.independentid.com"www.independentid.com HYPERLINK "mailto:phil.hunt@oracle.com"phil.hunt@oracle.com On 2012-03-14, at 10:41 PM, Grant Yang wrote: Hi all, We were discussing the possibility to use Oauth2 token on SOAP in our product. The preferred way in mentioned in RFC is of course to put it to HTTP Authorization header, but in this case it will beyond the scope of SOAP stack and I am not sure it shall be the correct way to go. It is also recognized that there is some implementation (such as salesforce) is using some SOAP header (“sessionId”) to put this token, but it looks like a private implementation and I did not find any specification supporting it. Could any experts here illustrate any organization or forum is working on using Oauth2 token for SOAP request? As there are quite some legacy SOAP based web services, hopefully it is a question makes sense for you as well. Thoughts? Grant Yang Architect, SDP of ORACLE Communications _______________________________________________ OAuth mailing list HYPERLINK "mailto:OAuth@ietf.org"OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Using Oauth2 token to SOAP web services Grant Yang
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Grant Yang
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Hannes Tschofenig
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Phil Hunt
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Paul Madsen
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Igor Faynberg
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Guang Yang
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Torsten Lodderstedt