IETF Logo Mail Archive

Re: [OAUTH-WG] Oauth Server to Server

Bill Mills <wmills_92105@yahoo.com> Tue, 24 September 2013 15:23 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD29011E8151 for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 08:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.143
X-Spam-Level:
X-Spam-Status: No, score=-0.143 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzihe8t8W+Rq for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 08:22:55 -0700 (PDT)
Received: from nm15.bullet.mail.bf1.yahoo.com (nm15.bullet.mail.bf1.yahoo.com [98.139.212.174]) by ietfa.amsl.com (Postfix) with ESMTP id 196C811E814E for <oauth@ietf.org>; Tue, 24 Sep 2013 08:22:51 -0700 (PDT)
Received: from [98.139.214.32] by nm15.bullet.mail.bf1.yahoo.com with NNFMP; 24 Sep 2013 15:22:51 -0000
Received: from [98.139.212.220] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 24 Sep 2013 15:22:51 -0000
Received: from [127.0.0.1] by omp1029.mail.bf1.yahoo.com with NNFMP; 24 Sep 2013 15:22:51 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 229001.72660.bm@omp1029.mail.bf1.yahoo.com
Received: (qmail 40116 invoked by uid 60001); 24 Sep 2013 15:22:51 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1380036171; bh=O0CcsKsEs8HX/vObh98EaApCzxi6cFyijiNzXxFmSJs=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=bU2x93QNnfhFW1idsS+4/MN1QZ6/V/kRpFc6vT7Z81XP9BMtcK0aQiOiWFptf3wOXQvrvwZ4LL8iVLh09Eex9jVXg+nuMR5Gy406BLbCMgS1Sd2YN+UxALetGGeJuZ41gxWKOZ+v4cYAnfdCO2q+mEQHejNsAghDi0EuAwuILew=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=xmjal+CpyWTSSc8FS9sCVTmJwDMcrUz9N8RIxntU+/HAUbxeyEvneiu3UUK50N887YGS3ifw3mQvRaHvDq2adkzheQBMpCI9hHiaH1QI5NheYVJkgQtRi+sQQ9LTKslkPpACLlsWSX58hj7M702Er/yN8hTwDQorZL4L97x7h0c=;
X-YMail-OSG: jVmkxYcVM1nb2T0wNN43OiMl43lh9qiYsgXiK4Rwo0bceHR JhfbUT06IbMf0FQeVxgmIyRZNrbUbM5hONfWmauNwum6..NvfgyqcgHBhquF WjG1OihrrPzq9HB1VtiEl.8UssYLefv4ResUgIkcJWMSRdqUWZ8Wjx7awy.G 72qDGG0I4CSdUvd.hZdFsdBWoYHHaBjdzunDAtoBq9L7YoOraC65iqdSiPyc FG2YdOYVqjN1nJnNbA9fzEm71KA37CnAwbQNL3rixp7Nrw_Ptd5ec0pAtp0p sbQjKtBHG.PUWLuyfWVZio5vGAyTYpRAy0Y1Y4z9TS7ve33oQrNajRHF5L0U jgv8gPkd_cUThjXL1XhFKNJke8q6Suf5c28JQMDRichrJvts4.RvDMxDWl8K 2dxkdtVLfRQOv9nlGgQb4m0fDDxF6gHf.FEBj8q4EUvR.VHRqmsVvBI0O8Wt ArV133ncd4bSM1N_pU_g70de880_5YuCiB1Td18336NtXWlh_fY_Vp_.BMgO rcWmKoVIMiKxkFr16M6jzjow22Tz2fqDQN5LFq2Mm6HuQbsMWrQtuP2R5Iog JrZOOYwlkczI6bws_Dhkh.jYXJCMDVPfDo.RgGy1ZjkDwImBk1b18_EGM7Tq vpPb2zBlmek1x7yFh9TL8mm23jeeXe5EAHuFjdOplov6dd.gih_z6R8spRCp BJaXsCqjn8nxqTjgAFjQd0kqXP.KWvQ5XD8S92zU14Qm50nWPRJuapg8hdZA SBE0ejM.hkg--
Received: from [209.131.62.115] by web142802.mail.bf1.yahoo.com via HTTP; Tue, 24 Sep 2013 08:22:51 PDT
X-Rocket-MIMEInfo: 002.001, U28gdGhleSBhcmUgdXNpbmcgY2xpZW50IGF1dGhlbnRpY2F0aW9uIGFzIGRlZmluZWQgb24gT0F1dGggMiB0aGVuPwoKCgpPbiBUdWVzZGF5LCBTZXB0ZW1iZXIgMjQsIDIwMTMgODoxOCBBTSwgQW50b25pbyBTYW5zbyA8YXNhbnNvQGFkb2JlLmNvbT4gd3JvdGU6CiAKSGkgY2h1Y2ssCgoKCk9uIFNlcCAyNCwgMjAxMywgYXQgNDo1NyBQTSwgQ2h1Y2sgTW9ydGltb3JlIDxjbW9ydGltb3JlQHNhbGVzZm9yY2UuY29tPiB3cm90ZToKCkknbSBub3Qgc3VyZSBJIHVuZGVyc3RhbmQgeW91ciBwb2ludCBoZXJlLiABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.157.561
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <CA+k3eCSVwT15wBwuCZNy1EuiVOSwVg+TThVvWnbwZ1wHVvfA-A@mail.gmail.com> <7558541E-3517-4F71-A049-6143D4247738@adobe.com> <1510634430014420341@unknownmsgid> <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com>
Message-ID: <1380036171.35016.YahooMailNeo@web142802.mail.bf1.yahoo.com>
Date: Tue, 24 Sep 2013 08:22:51 -0700
From: Bill Mills <wmills_92105@yahoo.com>
To: Antonio Sanso <asanso@adobe.com>, Chuck Mortimore <cmortimore@salesforce.com>
In-Reply-To: <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1397251415-2067535939-1380036171=:35016"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 15:23:01 -0000

So they are using client authentication as defined on OAuth 2 then?



On Tuesday, September 24, 2013 8:18 AM, Antonio Sanso <asanso@adobe.com> wrote:
 
Hi chuck,



On Sep 24, 2013, at 4:57 PM, Chuck Mortimore <cmortimore@salesforce.com> wrote:

I'm not sure I understand your point here.   I don't believe there is anything custom or special about the google implementation here vs JWT.   It looks identical to our implementation.  
>
>
>Can you elaborate?
>

sure.

What is novel IMHO in the Google approach is not the bearer format , that is still JWT (or JWS in this case) but the overall scenario.

As I see OAuth 2 is really good to cover use cases where there is human interaction (so an user namely the resource owner can provider username and password to the AS but not to the client and get back the Bearer Token).
This is obviously covered from [2] and [3] namely Authorization Code Grant and Implicit grant flow.

When there is not human interaction involved what RFC6749 offers is the already cited Resource Owner Password Credentials Grant that IMHO is a no go since it required the resource owner to share his password with the client.

The way as Google offers to solve the same situation (namely obtain , or create in this case, a bearer token without having the resource owner password) is using asymmetric cryptography. What is happening is that quoting

"During the creation of a Service Account, you will be prompted to 
download a private key. Be sure to save this private key in a secure 
location. After the Service Account has been created, you will also have access to the client_id associated with the private key."

An alternative mentioned from John Bradley previously is that clients can securely generate key pairs but in terms of security would be identical.

I hope is a bit clearer now  :)

regards

antonio


[2] http://tools.ietf.org/html/rfc6749#section-4.1
[3] http://tools.ietf.org/html/rfc6749#section-4.2


>- cmort
>
>On Sep 24, 2013, at 5:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
>
>
>Hi Brian,
>>
>>
>>thanks a lot for your pointer.
>>
>>
>>What the custom Google flow provides more than the oauth jwt bearer draft is IMHO an explicit way to build JWT without any 'human interaction' so a server can handle the construction of an expired JWT bearer token on his own.
>>
>>
>>This can of course be figured out by any implementer (as the Google folks obviously did) but it would be nice to provide this black on white on a spec IMHO
>>
>>
>>regards
>>
>>
>>Antonio
>>
>>
>>
>>
>>On Sep 24, 2013, at 2:35 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>
>>Might this http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer be what you're looking for?
>>>
>>>
>>>
>>>
>>>On Tue, Sep 24, 2013 at 6:08 AM, Antonio Sanso <asanso@adobe.com> wrote:
>>>
>>>Hi *,
>>>>
>>>>apologis to be back to this argument :).
>>>>
>>>>Let me try to better explain one use case that IMHO would be really good to have in the OAuth specification family :)
>>>>
>>>>At the moment the only "OAuth standard" way I know to do OAuth server to server is to use [0] namely Resource Owner Password Credentials Grant.
>>>>
>>>>Let me tell I am not a big fun of this particular flow :) (but this is another story).
>>>>
>>>>An arguable better way to solve this scenario is to user (and why not to standardise :S?) the method used by Google (or a variant of it) see [1].
>>>>
>>>>Couple of more things:
>>>>
>>>>- I do not know if Google would be interested to put some effort to standardise it (is anybody from Google lurking :) e.g.Tim Bray :D )
>>>>- I am not too familiar with IETF process. Would the OAuth WG take in consideration such proposal draft??
>>>>
>>>>Thanks and regards
>>>>
>>>>Antonio
>>>>
>>>>[0] http://tools.ietf.org/html/rfc6749#section-4.3
>>>>[1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>>>>_______________________________________________
>>>>OAuth mailing list
>>>>OAuth@ietf.org
>>>>https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>
>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email