IETF Logo Mail Archive

Re: [OAUTH-WG] status of bearer token redelegation drafts

Bill Mills <wmills_92105@yahoo.com> Tue, 04 November 2014 00:07 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7161A1AE3 for <oauth@ietfa.amsl.com>; Mon, 3 Nov 2014 16:07:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.493
X-Spam-Level:
X-Spam-Status: No, score=-1.493 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYSI3t1c17N4 for <oauth@ietfa.amsl.com>; Mon, 3 Nov 2014 16:07:22 -0800 (PST)
Received: from nm44-vm10.bullet.mail.bf1.yahoo.com (nm44-vm10.bullet.mail.bf1.yahoo.com [216.109.115.46]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCC541A1A4A for <oauth@ietf.org>; Mon, 3 Nov 2014 16:07:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1415059640; bh=m1yzr0MHOArxhmQvrGDAgaIZL8RQNSH4evyHnJlAr7c=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=s0Bx4bv04JW0sj9rqxh5l7fu+0Ky2da0RIB5MdOFlM+SGn8dhJjaBxa9zM/Nxb64VhjpYInB5Hf2bqr4Rk2Wkryyttk65tFvrMvONNJYhid4QBqvRijSUaTqS0xRdDkg7/VW/UC8g7is+QnCglz9b/a0GQJ717j13WHn/JwnBm3VOoXLRHL7MFLEzmT8Fnz8FOV63m0f8hl+g1lfSOviNTyLRcXX0H0NJRddD/xyjmaBBa23akITvEFVbEigtjKElQM+CwEYAyn/CS9vH1r48snqPuSNlGaO8I8V++EtgQiSF9DwGKYUw69eT4B3N0qRE3kFe9E/2jAAoB6jt6UqvQ==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=S6pyHQ3lTJdKcZQgXorebgABHRT4hxj+TmJoN7odDRN/6/W41VnL1dvtPC9CgBwsvhSkPxui6TCwjZ0hIPRetE7q89spMEkXHomrdwOJl7Xs8OWsRY0+0yRT1eInDBPoPittTkKXvm2TlEFuhu2yeDH9+KQioyU7JG1Q/cfuDpOJbRRejMf0ELU4nSsXJhX6Fnq75bEwVftNJHGNw9huJB9BUXHRiQjdba3LfwRTbFyQwugh2X38kHxZsXpWV4mLr9kxmUVYak/zjJubiqaYPjp5JGZGpM5DD7wGppcrQ2thC0AKlP7N5Rf9/MiQcL6DQYlOZXZZ5cEwjAbOhm32GA==;
Received: from [98.139.214.32] by nm44.bullet.mail.bf1.yahoo.com with NNFMP; 04 Nov 2014 00:07:20 -0000
Received: from [98.139.212.243] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 04 Nov 2014 00:07:19 -0000
Received: from [127.0.0.1] by omp1052.mail.bf1.yahoo.com with NNFMP; 04 Nov 2014 00:07:19 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 976242.10742.bm@omp1052.mail.bf1.yahoo.com
X-YMail-OSG: mA6ExlsVM1niYHnpt_Yx_4nll8srOiGlWSi._L0WSGUVwgTu1mFC3RbKXo6LSjV PSsRf5TIMkb9dxHn7qg65V3qmUdnHtZ4_3lbEuRyCz3IWe39n_D.bjJ5DAnzjeAz8_uaJLENg.gL uCtzZHKzJBJZwxaJ9FoUnLCj5jEgtyHxY_Y.ziVv04JWcUIESbeIRmwrBAg0AM6OZWeuiXZED2xq iU1VXHuIqQdgG5.fCBlmzS55.5OTex8aCqg_NQHIILmrsDHEnpX4H3UbAxi9tU94zKS7anQdnlfm 5cgvHChIjsbWWzoLxNNfFN.v5HVlneww0KkOtrhldWcvMY7IvWdrV3IE.pXP.nWNOS3KePVzCpSi xGA6YS5mjNm4c1iPkGa81lzJDhJq0gf15WwjOZfGAMOxsUrwXYEOIxl4JmKORj5hmEqhYvNSh6Df gN8QeylX5yQplK3aJj8N0xCaMRaiEOc8x6ZarGqkW1xqpkVCxg1GjnimuxmmfWbkxE4o9bnmho.i EpWjm7O5CAKHPPxPsswByB4R66wBuBYm1jpy.rp1XibHor6QJfWkFvsTybw8hD8nmu8BVpmbEccG ezbtU.hmUM5hKPWOGbzdHI570D3l2J1CB
Received: by 76.13.27.55; Tue, 04 Nov 2014 00:07:19 +0000
Date: Tue, 04 Nov 2014 00:07:18 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: "Richer, Justin P." <jricher@mitre.org>, "oauth@ietf.org WG" <oauth@ietf.org>
Message-ID: <518329024.436807.1415059638902.JavaMail.yahoo@jws10645.mail.bf1.yahoo.com>
In-Reply-To: <0FBFB9F2-508B-495B-9075-E664351C8D96@mitre.org>
References: <0FBFB9F2-508B-495B-9075-E664351C8D96@mitre.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_436806_1489997064.1415059638896"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/AVJmZrDxx8q6D2lMVHafXavxbNQ
Cc: Ajanta Adhikari <ajanta.adhikari@gmail.com>
Subject: Re: [OAUTH-WG] status of bearer token redelegation drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 00:07:24 -0000

We need to think about this, and whatever we build in this space should work for POP tokens as well.  I'd love to hear the concrete use cases and problems to be solved.




POP tokens (like OAuth 1.0a) are likely not to be proxyable, so the edge servers really should have a way to get a new credential for accessing other services on behalf of the user.




Another major consideration is that auth servers are frequently not scaled to handle the full edge transaction load, that's part of the point of issuing a longer lived credential by a server that's already done all the expensive policy and DB checks.




I'm not a big fan of a token exchange through the auth server for that reason, as well as the added cost incurred for the network round trips that's being built in.




-bill
      On Monday, November 3, 2014 2:00 PM, "Richer, Justin P." <jricher@mitre.org> wrote:
   

  There's a new working group document where this component *could* be captured (and I would argue it should), and that's:
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-token-exchange/
However, at the moment it's more concerned with the semantically-aware assertion swap instead of an opaque token swap. Personally, I think that the syntax should be general (like in my and in Phil's draft) to allow for any kind of input and output token, and if someone wants to standardize an assertion on top of that, they can. Hopefully we can get that clear in the WG as progress continues on this new document.
 -- Justin


On Nov 3, 2014, at 2:54 PM, Ajanta Adhikari <ajanta.adhikari@gmail.com> wrote:

Note sure if I can reply to the mailing list yet so responding directly.
-----------------------------------------------------------------------------------------

Bas,
We (Akamai) came up with a similar design before I read the draft from Justin and Phil. I talked to Justin at IIW about our design choice and he seems to think its in the right direction.
There is a reference to it from our OAUTH scope design session at IIW http://iiw.idcommons.net/OAuth_2_Scope_Design_Discuss_iom

I would be happy to share additional details if you are interested. We do not publish our implementation to public.

Thanks,
Ajanta


On Mon, Nov 3, 2014 at 3:02 AM, Bas Zoetekouw <bas.zoetekouw@surfnet.nl> wrote:

Hi All,

For a client of ours, I am looking into OAuth token redelegation from
one RS to another.  I've found two drafts that more or less describe the
scenario they want to implement:
https://tools.ietf.org/html/draft-richer-oauth-chain-00 and
http://tools.ietf.org/html/draft-hunt-oauth-chain-01
Could anyone comment on the status of those?
In particular I'ld be interested in hearing whether anyone is using
either of those specs in practice, and whether there is any progress on
the drafts.

Best regards,
Bas Zoetekouw.
SURFnet.

--
Bas Zoetekouw
SURFnet Advanced Services
Tel: +31 30 2305362   Fax:+31 30 2305329
SURFnet -  POBox 19035 -  NL-3501 DA Utrecht - The Netherlands

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email