IETF Logo Mail Archive

Re: [OAUTH-WG] sites with wildcard

"Manger, James H" <James.H.Manger@team.telstra.com> Tue, 11 May 2010 00:31 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E20FE28C0F4 for <oauth@core3.amsl.com>; Mon, 10 May 2010 17:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.409
X-Spam-Level: *
X-Spam-Status: No, score=1.409 tagged_above=-999 required=5 tests=[AWL=-0.291, BAYES_50=0.001, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9c2wFtWJr3W7 for <oauth@core3.amsl.com>; Mon, 10 May 2010 17:31:38 -0700 (PDT)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by core3.amsl.com (Postfix) with ESMTP id 0395228C0F0 for <oauth@ietf.org>; Mon, 10 May 2010 17:31:37 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.53,203,1272808800"; d="scan'208,217";a="2395954"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipoavi.tcif.telstra.com.au with ESMTP; 11 May 2010 10:31:26 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,5978"; a="1734443"
Received: from wsmsg3751.srv.dir.telstra.com ([172.49.40.172]) by ipcdvi.tcif.telstra.com.au with ESMTP; 11 May 2010 10:31:26 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3751.srv.dir.telstra.com ([172.49.40.172]) with mapi; Tue, 11 May 2010 10:31:23 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Yaron Goland <yarong@microsoft.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Tue, 11 May 2010 10:31:22 +1000
Thread-Topic: sites with wildcard
Thread-Index: AcrwTaPsC4ggYQawSQ6EnsB9Iie0cQATPiVwAAA9JoA=
Message-ID: <255B9BB34FB7D647A506DC292726F6E112632852F1@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263284E5B@WSMSG3153V.srv.dir.telstra.com> <7C01E631FF4B654FA1E783F1C0265F8C4A426BD7@TK5EX14MBXC117.redmond.corp.microsoft.com>
In-Reply-To: <7C01E631FF4B654FA1E783F1C0265F8C4A426BD7@TK5EX14MBXC117.redmond.corp.microsoft.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E112632852F1WSMSG3153Vsrv_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] sites with wildcard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 00:31:40 -0000

Yaron,



> I don’t understand the scenario that requires this feature. When does someone ask for a token without knowing where it is going?



Example:

A client app gets a token to make an API call to a protected resource that returns an Atom feed.

The feed contains lots of entries, with links to photos, style sheets, and scripts.

The client app gets the photos.



Should it send the token when getting the photos?



On service A the Atom feed and the photos are all served from the same HTTPS host, with the same protection, so the token must be sent.



On service B the photos are hosted on a separate outsourced content distribution network. The photos are protected by using long unguessable URIs (the URIs are effectively “capabilities” to read the photos). The token does not need to be sent.



On service C the photos are any images from anywhere on the Internet that the user has chosen to link to. The Atom collection is protected, but not the photos. The token absolutely must not be sent when getting the photos.





A client app needs to know whether the service it is accessing is like A, B, or C. It needs to know for redirects, for links in HTTP headers, for links to images, for any other sort of link that is can derive from the response.



Some services might be completely walled gardens so the client can assume they are like A.

Some services might explicitly state in their documentation: which links and redirects are always guaranteed to be other API calls (send the token); which will always be to other security contexts (don’t send the token); and which might be either (don’t send the token, see if you get a 401/403, guess, send the token).



In general, the web is about following links. Clients need to know when following a link crosses a security boundary. Cookies provide this; Basic provides this; Digest provides this; OAuth needs this too.





--

James Manger

v2.23.0 | Report a Bug | By Email