Re: [OAUTH-WG] Adding a SAML 2 token type to the OAuth Token Exchange spec

Mike Jones <Michael.Jones@microsoft.com> Fri, 01 December 2017 00:05 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D96C12704B for <oauth@ietfa.amsl.com>; Thu, 30 Nov 2017 16:05:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GyjDXY0-SSwP for <oauth@ietfa.amsl.com>; Thu, 30 Nov 2017 16:05:30 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0111.outbound.protection.outlook.com [104.47.38.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED9BA124D68 for <oauth@ietf.org>; Thu, 30 Nov 2017 16:05:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=GwvR2lReq0pCV9zXa95BN8Uovan3q8uKTabMFrb1604=; b=ktitkHfCYWKVG7l4nZQYb0H7fbFdlQJwnfe2Mmkg0qgCOKu8/IDF7iks83Get0CQMlFem6KamgwmAMPgqZ09OiE0ua6pQ8a8RxAOm+5xVBL1Jp9xGTL2l1TbPumJCNaXhsb1eWF50MGe6AVuEf/tbeXVJ+QJM+jpZpe+k9m9S7U=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0693.namprd21.prod.outlook.com (10.175.121.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.1; Fri, 1 Dec 2017 00:05:28 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.20.0302.001; Fri, 1 Dec 2017 00:05:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Adding a SAML 2 token type to the OAuth Token Exchange spec
Thread-Index: AdM8TmiMyZFiaKDRSBqiPBGbOdL9Lwt6SkYQ
Date: Fri, 01 Dec 2017 00:05:28 +0000
Message-ID: <CY4PR21MB0504E84EF80D0F0209979970F5390@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <CY4PR21MB05049AF48AB53010817C8521F5720@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB05049AF48AB53010817C8521F5720@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-12-01T00:05:26.7988687Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:d::36]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0693; 6:DuPclTe1fXkmSEGPnlnlQ6Njzdxjjl+Cf7sgcg00r2V/veuz4YvPCfJn4Am0MtbZYaP/ziZBNLdiYSLBNf+UUJv35NxHBCUhaJ7WH34PvJUyzqiqoq8SlvEJo8yAoAtuMxJKx3L99gzwfsy2il5TodruJRem5STD4KK68CoqVYapzu/qjQyMjimcPDp0BRTA1OGB4M7PIlgZ0XUU4tA0yygN91JX77aVAPg7YRLB9NKlpuwdSbDWCZzQn3zSamIwZmnOgDzOKgM9IRlIXIaUsfVR3m6pxn2h1cKDOb/WZNUWc61HXMl2O44Pq++COEnt0BNB8d7K4PobSv0c/vFdEK8mAIYw22Idk9/K3NCbqRg=; 5:Y/CTRXfuSqEx1OUtH8B24c+fjBV77wkvvjo1bqSzmAK4C+OM8AXBHyZwdaq7Py6+nqCTS3UkgeAVc/hoR5YwDXGCHCqr1S0lBNqzlsGixZLX2m7bXPEFovBLM5KdZ2WnGodkBXKeR05yPCXltTw8uTk5Tnttw8bL/bbcyIKLwjE=; 24:1W6qIrU1MvW7Jix0e65hkZe7rgz/iuir0z4WS7Mv0cWWyowcAvshrdPNm7ckcXhYT23RhElRBzl4M047kpAcjsQJTcBiJ6xkBZFL7iRekN0=; 7:9Rb2OQ5vHjwq3kW3hrA/CNWd0c3U5XI0G/wnavA+unYaM7xujv7w8wJLg+M68UXa7OOlNRIMUWrr/Wah1hNsAOIwKrssGh+UNiGEJYt37XDp6g7QkZt9l34f+VFH+VZb3nOTqTaigkGVD6vDzTyfhLU/7QBQFNKtpcjoTqC4A//pETID1xHYxZ+L5/psyIdLYueb0luHPuq+xRdmLVzW1MuFR6ZUEEax7TE6RaHT0CrJGfsOJesdftQH1BzspGf0
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: cb9716e7-75ab-4692-1334-08d5384f3ac5
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(48565401081)(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603286); SRVR:CY4PR21MB0693;
x-ms-traffictypediagnostic: CY4PR21MB0693:
x-microsoft-antispam-prvs: <CY4PR21MB0693BF35B14B4340337931D1F5390@CY4PR21MB0693.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(227612066756510)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231022)(6055026)(61426038)(61427038)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(20161123558100)(20161123564025)(6072148)(201708071742011); SRVR:CY4PR21MB0693; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:CY4PR21MB0693;
x-forefront-prvs: 05087F0C24
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(366004)(39860400002)(47760400005)(199003)(189002)(1730700003)(606006)(6116002)(189998001)(9686003)(54896002)(790700001)(102836003)(316002)(106356001)(105586002)(229853002)(53546010)(7736002)(68736007)(86362001)(77096006)(5640700003)(54356011)(76176011)(8676002)(86612001)(3660700001)(236005)(6506006)(81166006)(3280700002)(81156014)(5630700001)(6436002)(2906002)(5660300001)(7696005)(53936002)(33656002)(22452003)(6306002)(8990500004)(25786009)(6246003)(8936002)(72206003)(74316002)(99286004)(2351001)(478600001)(101416001)(2900100001)(10090500001)(2950100002)(97736004)(2501003)(10290500003)(55016002)(14454004)(6916009); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0693; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504E84EF80D0F0209979970F5390CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb9716e7-75ab-4692-1334-08d5384f3ac5
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2017 00:05:28.1421 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0693
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ASpG9AQT-J2oj3sFIA2pw3Y_ve0>
Subject: Re: [OAUTH-WG] Adding a SAML 2 token type to the OAuth Token Exchange spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 00:05:33 -0000

Draft -10<https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-10> added the token type URIs urn:ietf:params:oauth:token-type:saml1 and urn:ietf:params:oauth:token-type:saml2 in response to actual developer token exchange use cases that needed identifiers for both kinds of SAML tokens.

                                                                -- Mike

From: Mike Jones
Sent: Tuesday, October 3, 2017 6:51 AM
To: oauth@ietf.org
Subject: Adding a SAML 2 token type to the OAuth Token Exchange spec

A Microsoft use case has come up in which people would like to perform a token exchange for a SAML token. The spec already defines urn:ietf:params:oauth:token-type:jwt for requesting JWT tokens.  Would anybody object to us adding urn:ietf:params:oauth:token-type:saml2 to the next draft to also give us a standard way to ask for SAML 2.0 tokens?

It could always be done in its own spec, but adding it in Token Exchange seems more expedient.

                                                                     -- Mike