Re: [OAUTH-WG] JWT binding for OAuth 2.0
John Bradley <ve7jtb@ve7jtb.com> Tue, 14 April 2015 21:41 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 426751A1AFB for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2015 14:41:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XH5DcskuAm3z for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2015 14:41:57 -0700 (PDT)
Received: from mail-qk0-f176.google.com (mail-qk0-f176.google.com [209.85.220.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28C8B1A1ADA for <oauth@ietf.org>; Tue, 14 Apr 2015 14:41:57 -0700 (PDT)
Received: by qkhg7 with SMTP id g7so41600823qkh.2 for <oauth@ietf.org>; Tue, 14 Apr 2015 14:41:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=wF4tfibdvnsrTkx5b5mnIXHNtcruetPCQ0dYg6Uftu0=; b=iYIQF1Xk+zBDk1CWLUqDINvRbpLt3ctIy1Wuf4XJmQdRzsStJTp3N1qarDkGBwcDzZ oAQQMYbg4O32x27i3ZZU+mLLsHE/zXDZJof5dwJllRBaRY2vzpyoaqSz8CtOoCBzraF2 LN+ahgPKkbJxPT+QhxsPx/cnk5+JUm5kFvZva/5tAzO/jiiDRvzn9u2drgyZQ72+gYM3 rkPdkk+7a2p8AiLI8nfzqELGm9+ja2w6fknbxZNGWVSNmBHHG0h4dsUBxKDtfB/W2pqO mIY+4JsllxakwWMrN2JIsgnBj0I9XwTmHfqAMWqlqIa0YcOYRHQNtizR2wfSD1JO9WEj AjsA==
X-Gm-Message-State: ALoCoQk6icmjbD/m1WpX5GTdjWCWht/J9HvITl95DdQMIY2F61pTq2hdxnRN+H59FMbTGpAOzK8G
X-Received: by 10.55.19.80 with SMTP id d77mr44450096qkh.92.1429047700534; Tue, 14 Apr 2015 14:41:40 -0700 (PDT)
Received: from [192.168.1.216] (181-163-76-154.baf.movistar.cl. [181.163.76.154]) by mx.google.com with ESMTPSA id 186sm1668346qhd.11.2015.04.14.14.41.38 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 14 Apr 2015 14:41:39 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_3F2CDAAA-1362-4D09-9512-91AAE5F4FBDF"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAJV9qO-PsiNOdfBAf9k0VJ7+eGkE_g_gbygdCbGMv2UT56Ld=g@mail.gmail.com>
Date: Tue, 14 Apr 2015 18:41:25 -0300
Message-Id: <A0FFB94C-1EDB-41B9-B1E2-6943B078145F@ve7jtb.com>
References: <CAJV9qO-PsiNOdfBAf9k0VJ7+eGkE_g_gbygdCbGMv2UT56Ld=g@mail.gmail.com>
To: Prabath Siriwardena <prabath@wso2.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ARWP0cGIFXjvyF6HAvCqp_j_7I8>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 21:41:59 -0000
There is a OAuth binding to SASL https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19 <https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19> Google supports it for IMAP/SMTP, I think the latest iOS and OSX mail client updates use it rather than passwords for Google. I also noticed Outlook on Android using it. The access token might be a signed or encrypted JWT itself. I don’t know that wrapping it again necessarily helps. Yes we should have bindings to other non http protocols. Is there something specific that you are looking for that is not covered by SASL? John B. > On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena <prabath@wso2.com> wrote: > > At the moment we only HTTP binding to transport the access token (please correct me if not).. > > This creates a dependency on the transport. > > How about creating a JWT binding for OAuth 2.0..? We can transport the access token as an encrypted JWT header parameter..? > > > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena <http://www.linkedin.com/in/prabathsiriwardena> > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com <http://blog.facilelogin.com/> > http://blog.api-security.org <http://blog.api-security.org/>_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Bill Mills
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena