IETF Logo Mail Archive

Re: [OAUTH-WG] Using Referred Token Binding ID for Token Binding of Access Tokens

Mike Jones <Michael.Jones@microsoft.com> Sun, 13 November 2016 06:43 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A031295BE for <oauth@ietfa.amsl.com>; Sat, 12 Nov 2016 22:43:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.992
X-Spam-Level:
X-Spam-Status: No, score=-1.992 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDqRhb5AXdiT for <oauth@ietfa.amsl.com>; Sat, 12 Nov 2016 22:43:08 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0113.outbound.protection.outlook.com [104.47.42.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5587A129611 for <oauth@ietf.org>; Sat, 12 Nov 2016 22:43:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yxiHqhYC2JzanWyFvjoQ/YNj//ATCopXBR54gLwV6jo=; b=XAIvSZCG4NpYIqgsXqGoKT0PVjpgFEUdaD+QHNGtra/PU8c7df0tnwwGBJ4C2kvV0Ryd7UfzqUmn2jIG+5BT4SbG8ZsOyW1Kw6zhqL5Md4pss+Uh2OZY8qOHl4XDNUOsYqzXsehsFe12YtTr4n/3ygtn8w9ZN7U0fTxxmNVa6rc=
Received: from CO2PR03MB2358.namprd03.prod.outlook.com (10.166.93.18) by CO2PR03MB2360.namprd03.prod.outlook.com (10.166.93.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.707.6; Sun, 13 Nov 2016 06:43:04 +0000
Received: from CO2PR03MB2358.namprd03.prod.outlook.com ([10.166.93.18]) by CO2PR03MB2358.namprd03.prod.outlook.com ([10.166.93.18]) with mapi id 15.01.0707.015; Sun, 13 Nov 2016 06:43:04 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Using Referred Token Binding ID for Token Binding of Access Tokens
Thread-Index: AdITLN3AvEZSb1qWQgWbF/NlQqhekwqRKyqAAAG3GIA=
Date: Sun, 13 Nov 2016 06:43:04 +0000
Message-ID: <CO2PR03MB235848A7FA8FDC21AA53C468F5BD0@CO2PR03MB2358.namprd03.prod.outlook.com>
References: <CO2PR03MB2358D7F80F3AB286A38082F6F5F70@CO2PR03MB2358.namprd03.prod.outlook.com> <5827FEA5.5090906@lodderstedt.net>
In-Reply-To: <5827FEA5.5090906@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [31.133.159.163]
x-microsoft-exchange-diagnostics: 1; CO2PR03MB2360; 7:V06k2MeOkPJupvGpkcUu8OaSH0Y6OnzAtya2MwWf0QNF+n/BXjLBNCU4Cy02ZQfM637uVLyYgvH5f9oANmBZ6SYwbKVgFwCuCNsXxno3Z0ZI3jl59ZEZLlugobAiblA7nOI4/CV+12Ua9887ASC1N9Sswcysyp/M6hr2Qy9ka6GkuNIdqayVksy+qPf97vovF5/W5MTu+i4Fk6uAx7hU3quaG7ydDCroalBpm4EZOkVvW0PvYX2y8KYkLOI/NTz6rQ9a1Ckjo+TmYspfei4f6ZeiCXpgljvH3wncceLgsyVJMdmzm4ToqN6hCPu+ksiHUzrSMgDJUJ146A9TPLQDfUZuYhDBIQ6H+TIM/2/9+5UjDkpznn0VwxP8o76vzjFO
x-ms-office365-filtering-correlation-id: 1af3877b-e97f-46d8-77f5-08d40b9051e0
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CO2PR03MB2360;
x-microsoft-antispam-prvs: <CO2PR03MB2360858DDA39550044285C61F5BD0@CO2PR03MB2360.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(31418570063057)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(6045074)(6060229)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6046074)(6061226); SRVR:CO2PR03MB2360; BCL:0; PCL:0; RULEID:; SRVR:CO2PR03MB2360;
x-forefront-prvs: 012570D5A0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(336003)(209900001)(199003)(377454003)(51444003)(189002)(7846002)(68736007)(76576001)(86612001)(3660700001)(2501003)(6116002)(86362001)(3280700002)(101416001)(102836003)(10090500001)(586003)(3846002)(5005710100001)(7696004)(10290500002)(99286002)(790700001)(2906002)(106356001)(81156014)(8990500004)(92566002)(8676002)(105586002)(81166006)(33656002)(87936001)(8936002)(66066001)(5001770100001)(7906003)(74316002)(97736004)(54356999)(5660300001)(7736002)(77096005)(50986999)(76176999)(9686002)(189998001)(229853002)(2950100002)(122556002)(107886002)(2900100001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR03MB2360; H:CO2PR03MB2358.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CO2PR03MB235848A7FA8FDC21AA53C468F5BD0CO2PR03MB2358namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2016 06:43:04.1722 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR03MB2360
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BC1_ih1QeAORh_2EXTpqKJvzPIQ>
Subject: Re: [OAUTH-WG] Using Referred Token Binding ID for Token Binding of Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 06:43:10 -0000

The HTTP header is described in https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-2 where it talks about a Sec-Token-Binding Header Field with a TokenBindingMessage with a TokenBinding structure with TokenBindingType of referred_token_binding.

The example is a good idea.

                                                       -- Mike

From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
Sent: Sunday, November 13, 2016 2:48 PM
To: Mike Jones <Michael.Jones@microsoft.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] Using Referred Token Binding ID for Token Binding of Access Tokens

Hi Mike,

does this mean the binding ID is indicated to the authorization server via a respective HTTP header? I'm asking because I didn't find the respective parameter in the draft.

Could you add a HTTP request example? I think that would help a lot to better understand the mechanism.

best regards,
Torsten.
Am 20.09.2016 um 21:16 schrieb Mike Jones:
The OAuth Token Binding specification has been revised to use the Referred Token Binding ID when performing token binding of access tokens.  This was enabled by the Implementation Considerations in the Token Binding HTTPS specification being added to make it clear that Token Binding implementations will enable using the Referred Token Binding ID in this manner.  Protected Resource Metadata was also defined.

Thanks to Brian Campbell for clarifications on the differences between token binding of access tokens issued from the authorization endpoint versus those issued from the token endpoint.

The specification is available at:

*       http://tools.ietf.org/html/draft-ietf-oauth-token-binding-01

An HTML-formatted version is also available at:

*       http://self-issued.info/docs/draft-ietf-oauth-token-binding-01.html

                                                       -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1610 and as @selfissued<https://twitter.com/selfissued>.





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email