Re: [OAUTH-WG] SWT for indicating sites where a token is valid
Marius Scurtescu <mscurtescu@google.com> Mon, 10 May 2010 17:58 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 38F903A6A5B for <oauth@core3.amsl.com>; Mon, 10 May 2010 10:58:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.265
X-Spam-Level:
X-Spam-Status: No, score=-100.265 tagged_above=-999 required=5 tests=[AWL=-0.888, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQz+tq6eyy-g for <oauth@core3.amsl.com>; Mon, 10 May 2010 10:58:52 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id AB2923A6BFF for <oauth@ietf.org>; Mon, 10 May 2010 10:58:21 -0700 (PDT)
Received: from hpaq3.eem.corp.google.com (hpaq3.eem.corp.google.com [172.25.149.3]) by smtp-out.google.com with ESMTP id o4AHw8pk013272 for <oauth@ietf.org>; Mon, 10 May 2010 10:58:08 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1273514289; bh=XD0MB9r5YAbux7ADkykAFSqMZ+g=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=u2ruSHh6gMyKOrqcjmGZ7sU+0zrwHYR1YiCvVkKfhTOVaGg/c9WXTVr+9ktDTffTJ gpcmsirri+ersrXMw0xBA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=PJFsWWtmhSm0sqSh53G8b0/Wm72NI+x/OVj62RDUFUMTwmTuDGkjVmPYcFly6HVVZ w2nBrX4Ua7S4wZ0hLEK8w==
Received: from pxi19 (pxi19.prod.google.com [10.243.27.19]) by hpaq3.eem.corp.google.com with ESMTP id o4AHw6YB015835 for <oauth@ietf.org>; Mon, 10 May 2010 10:58:07 -0700
Received: by pxi19 with SMTP id 19so1974657pxi.31 for <oauth@ietf.org>; Mon, 10 May 2010 10:58:06 -0700 (PDT)
Received: by 10.141.110.6 with SMTP id n6mr2886056rvm.163.1273514286102; Mon, 10 May 2010 10:58:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.125.21 with HTTP; Mon, 10 May 2010 10:57:46 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112631B2989@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B24FC@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net> <BC9EED4C-B667-4AC2-A663-CEAC0B7CB620@lodderstedt.net> <AANLkTincZ8_0-t2r_Ey9BestA_knMciYsxRLyHcOvSVO@mail.gmail.com> <g2xfd6741651005071106if93ba794q7e9739669eb22fc2@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B2989@WSMSG3153V.srv.dir.telstra.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 10 May 2010 10:57:46 -0700
Message-ID: <AANLkTinUEWwq2pxLukMrwDHeth-86THV_uvGWCrFjskU@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] SWT for indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 17:58:53 -0000
Hi James, I was suggesting a transparent token format in general, SWT was just an example. Yes, SWT does have a few problems: - symmetric key encryption - URL encoded name/value pairs as format It can be easily extended to support public key crypto, but this will help only key management between the authorization server and the protected resources. The client does not really need to verify the signature. If the token was compromised then the protected resource will refuse it anyhow. It was also suggested to use JSON and then web safe base64 for the format. As a side note, I was thinking more about the suggested "sites" parameter. In practice that sites where an access token can be used is limited to what protected resources can decrypt or verify the token. An access token cannot be really used at the wrong site. A "sites" parameter could be a nice hint for the client, but not a security requirement. Marius On Sun, May 9, 2010 at 6:51 AM, Manger, James H <James.H.Manger@team.telstra.com> wrote: > David & Marius, > > > >> Using SWT for your access tokens seems like a reasonable way to resolve >> this for servers which care. > > > > SWT is completely the wrong solution for this issue, if I understand it > correctly. > > > > I haven’t followed the SWT work much, but my understanding is that it aids > interop between authorization and resource servers by defining a token > format. A crucial feature is a MAC, created by the authz server and verified > by the resource server. > > > > A client app cannot have the secret key required to verify the signature > (MAC) in a SWT token. SWT is separate from WRAP (& OAuth) because it is a > private matter between servers -- which the client does not have to know > anything about. > > > > The commonality between this issue (“sites” token response param) and SWT is > that client apps and resource servers need to know some similar information > about a token: such as where & when it can be used. > > > > Theoretically I guess we could mandate something like SWT (fleshed out with > specifics) for tokens so clients and resource servers can get the info they > need from the same field *in* the token. However, tokens that are opaque to > clients (with the info they need in separate fields) is a much better > architecture (less coupling), even if some info gets repeated. > > > > > > P.S. I found SWT-v0.9.5 at > http://groups.google.com/group/oauth-wrap-wg/files. > > > > -- > > James Manger > > > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of > David Recordon > Sent: Saturday, 8 May 2010 4:06 AM > To: Marius Scurtescu > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Indicating sites where a token is valid > > > > Using SWT for your access tokens seems like a reasonable way to resolve this > for servers which care. > > > > On Fri, May 7, 2010 at 11:01 AM, Marius Scurtescu <mscurtescu@google.com> > wrote: > > Returning a scope parameter with issued tokens is not a bad idea. > > But this, and also the sites parameter suggested by James, can both > potentially be solved with a transparent token format. Such a token > can make explicit the: > - expiry time > - scopes > - sites > - etc. > > The Simple Web Token spec goes along these lines. SWT has a parameter > called Audience, which I assumed would point to the client, but it > could also represent "sites". > > Marius > >
- [OAUTH-WG] Indicating sites where a token is valid Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Luke Shepard
- Re: [OAUTH-WG] Redirects Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Richer, Justin P.
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Brian Eaton
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav