Re: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow - WWW-Authenticate to advertise OAuth 2.0 support
"Manger, James" <James.H.Manger@team.telstra.com> Fri, 13 May 2016 02:04 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79F2012B049 for <oauth@ietfa.amsl.com>; Thu, 12 May 2016 19:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xi_18okaSrp7 for <oauth@ietfa.amsl.com>; Thu, 12 May 2016 19:04:42 -0700 (PDT)
Received: from ipxcno.tcif.telstra.com.au (ipxcno.tcif.telstra.com.au [203.35.82.208]) by ietfa.amsl.com (Postfix) with ESMTP id E88FD12B038 for <oauth@ietf.org>; Thu, 12 May 2016 19:04:40 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="5.24,611,1454936400"; d="scan'208,217"; a="77164142"
Received: from unknown (HELO ipcani.tcif.telstra.com.au) ([10.97.216.200]) by ipocni.tcif.telstra.com.au with ESMTP; 13 May 2016 12:04:38 +1000
X-IronPort-AV: E=McAfee;i="5700,7163,8163"; a="114570310"
Received: from wsmsg3703.srv.dir.telstra.com ([172.49.40.171]) by ipcani.tcif.telstra.com.au with ESMTP; 13 May 2016 12:04:38 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by wsmsg3703.srv.dir.telstra.com ([fe80::9c60:bf5:3f86:2ec%11]) with mapi; Fri, 13 May 2016 12:04:37 +1000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>, "barroco@ebu.ch" <barroco@ebu.ch>
Date: Fri, 13 May 2016 12:04:35 +1000
Thread-Topic: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow - WWW-Authenticate to advertise OAuth 2.0 support
Thread-Index: AdGsupjwfcrwpXIcTEuuyXNQqzqKzw==
Message-ID: <255B9BB34FB7D647A506DC292726F6E13BD166320F@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E13BD166320FWSMSG3153Vsrv_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/BL7Vosh38F1W-Hct9NPccmoEhLs>
Subject: Re: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow - WWW-Authenticate to advertise OAuth 2.0 support
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2016 02:04:46 -0000
Hi Michael & OAuth-ers, The EBU Cross Platform Auth spec has defined their own "CPA" scheme for the WWW-Authenticate HTTP response header to advertise OAuth 2.0 capability [section 7.7.1 "Authentication challenge" in https://tech.ebu.ch/docs/tech/tech3366.pdf]. WWW-Authenticate: CPA version="1.0" name="Example Authorization Provider" uri="https://ap.example.com/cpa" modes="client,user" It is a shame that there isn’t a standard OAuth way to do this without needing a CPA-specific scheme. P.S. This CPA example is invalid. It needs commas between attributes [https://tools.ietf.org/html/rfc7235#appendix-C]. -- James Manger -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, 11 May 2016 8:48 PM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth 2.0 for broadcasters Hi all, End of April I had the chance to talk to Michael Barroco (from the European Broadcasting Union) and to Chris Needham (from the BBC) regarding their use of OAuth 2.0 for broadcasters. In March Michael dropped a mail to the OAuth mailing list to make us aware of their work, see https://www.ietf.org/mail-archive/web/oauth/current/msg15969.html The specification they are working on is based on the OAuth Device flow. Michael and Chris walked me through a slide deck offering me more background regarding their work. (I will upload the slide deck to our Wiki but the IETF meeting site seems to be down at the moment.) In addition to the specification code and tutorials have been developed and you can find them here: https://github.com/ebu/cpa-tutorial https://tech.ebu.ch/code I gave Chris & Michael an update of what we are doing in the OAuth working group since I believe some of our currently chartered items could be relevant for them, such as the native apps BCP or the PoP/Token Binding work. I also mentioned that we are looking for feedback from their group on the Device Flow specification. Ciao Hannes From: "Barroco, Michael" <barroco at ebu.ch> To: "oauth at ietf.org" <oauth at ietf.org> Cc: "tvp-cpa at list.ebu.ch" <tvp-cpa at list.ebu.ch> Date: Mon, 7 Mar 2016 08:43:56 +0000 Dear all, We are contacting you because we noticed that you recently restarted the work on OAuth 2.0 Device Flow. We are in the process of publishing an ETSI standard [1] specifying a protocol with very similar goals. This has been developed by an EBU (European Broadcasting Union) working group involving broadcasters, such as BBC, SRG-RTS, VRT, RTVE, TVP, Global Radio UK, and device manufacturers. Our work on the “Cross Platform Authentication” protocol targets media devices, such as connected TVs and radio receivers. It is based on the early OAuth 2.0 Device Flow draft, but includes additional features driven by broadcast industry requirements. These include: dynamic registration of clients, dynamic discovery of the authorization provider, and issuing of access tokens without requiring association with a user account in order to provide device-based authentication that does not require user sign-in or pairing. Our draft protocol specification is available here [2]. Cross Platform Authentication also specifies several aspects left open to implementers in OAuth 2.0, such as endpoint URL paths, to facilitate interoperability. Also note that reference implementations are available [3]. We would be very interested in working together with you to explain our design requirements and try to align our protocol designs. With best regards, The EBU Cross Platform Authentication group https://tech.ebu.ch/cpa [1] https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=47970 [2] https://tech.ebu.ch/docs/tech/tech3366.pdf [3] https://tech.ebu.ch/code/cpa ------------------------------------------------------------------------------
- Re: [OAUTH-WG] Cross Platform Authentication - OA… Manger, James
- Re: [OAUTH-WG] Cross Platform Authentication - OA… Nat Sakimura
- Re: [OAUTH-WG] Cross Platform Authentication - OA… Manger, James