Re: [OAUTH-WG] SWT for indicating sites where a token is valid

[Marius Scurtescu <mscurtescu@google.com>]

Hi James,

I was suggesting a transparent token format in general, SWT was just
an example. Yes, SWT does have a few problems:
- symmetric key encryption
- URL encoded name/value pairs as format

It can be easily extended to support public key crypto, but this will
help only key management between the authorization server and the
protected resources. The client does not really need to verify the
signature. If the token was compromised then the protected resource
will refuse it anyhow.

It was also suggested to use JSON and then web safe base64 for the format.

As a side note, I was thinking more about the suggested "sites"
parameter. In practice that sites where an access token can be used is
limited to what protected resources can decrypt or verify the token.
An access token cannot be really used at the wrong site. A "sites"
parameter could be a nice hint for the client, but not a security
requirement.

Marius



On Sun, May 9, 2010 at 6:51 AM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
> David & Marius,
>
>
>
>> Using SWT for your access tokens seems like a reasonable way to resolve
>> this for servers which care.
>
>
>
> SWT is completely the wrong solution for this issue, if I understand it
> correctly.
>
>
>
> I haven’t followed the SWT work much, but my understanding is that it aids
> interop between authorization and resource servers by defining a token
> format. A crucial feature is a MAC, created by the authz server and verified
> by the resource server.
>
>
>
> A client app cannot have the secret key required to verify the signature
> (MAC) in a SWT token. SWT is separate from WRAP (& OAuth) because it is a
> private matter between servers -- which the client does not have to know
> anything about.
>
>
>
> The commonality between this issue (“sites” token response param) and SWT is
> that client apps and resource servers need to know some similar information
> about a token: such as where & when it can be used.
>
>
>
> Theoretically I guess we could mandate something like SWT (fleshed out with
> specifics) for tokens so clients and resource servers can get the info they
> need from the same field *in* the token. However, tokens that are opaque to
> clients (with the info they need in separate fields) is a much better
> architecture (less coupling), even if some info gets repeated.
>
>
>
>
>
> P.S. I found SWT-v0.9.5 at
> http://groups.google.com/group/oauth-wrap-wg/files.
>
>
>
> --
>
> James Manger
>
>
>
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
> David Recordon
> Sent: Saturday, 8 May 2010 4:06 AM
> To: Marius Scurtescu
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
>
>
>
> Using SWT for your access tokens seems like a reasonable way to resolve this
> for servers which care.
>
>
>
> On Fri, May 7, 2010 at 11:01 AM, Marius Scurtescu <mscurtescu@google.com>
> wrote:
>
> Returning a scope parameter with issued tokens is not a bad idea.
>
> But this, and also the sites parameter suggested by James, can both
> potentially be solved with a transparent token format. Such a token
> can make explicit the:
> - expiry time
> - scopes
> - sites
> - etc.
>
> The Simple Web Token spec goes along these lines. SWT has a parameter
> called Audience, which I assumed would point to the client, but it
> could also represent "sites".
>
> Marius
>
>