Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for OAuth 2.0 draft
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 18 July 2010 15:48 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C04D3A695A for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.151
X-Spam-Level:
X-Spam-Status: No, score=-2.151 tagged_above=-999 required=5 tests=[AWL=0.097, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgAHWhzMZ8-k for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:48:46 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.32]) by core3.amsl.com (Postfix) with ESMTP id D99D03A6979 for <oauth@ietf.org>; Sun, 18 Jul 2010 08:48:45 -0700 (PDT)
Received: from p4ffd3f9f.dip.t-dialin.net ([79.253.63.159] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OaW6r-00051q-22; Sun, 18 Jul 2010 17:48:57 +0200
Message-ID: <4C432262.40204@lodderstedt.net>
Date: Sun, 18 Jul 2010 17:48:50 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <AANLkTinSrPUEauUsSWjVHN0KZu9LxHVaWRpanGAE3ZEC@mail.gmail.com>
In-Reply-To: <AANLkTinSrPUEauUsSWjVHN0KZu9LxHVaWRpanGAE3ZEC@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000504090804060900080302"
X-Df-Sender: 141509
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for OAuth 2.0 draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2010 15:48:48 -0000
Hi Brian, thank you for taking the effort to write this I-D. I have the following remarks: Why do you prescribe to include the token endpoint URL into the SubjectConfirmationData and similar data also in the AudienceRestriction? I would expect such data in the AudienceRestriction only. Why do you prohibit NotBefore-Attributes? What the reason for that statement? "If the assertion was issued with the intention that the client act autonomously on behalf of the subject, an <AuthnStatement> SHOULD NOT be included." Do you expect the OAuth authorization server to authenticate the client anyway? Your I-D states: "The authorization server MUST ensure that bearer assertions are not replayed, by maintaining the set of used ID values for the length of time for which the assertion would be considered valid based on the NotOnOrAfter attribute in the <SubjectConfirmationData>." Why do you want to force a one-time usage for SAML assertions? This is to restrictive, in my opinion. Any issuing authority could enforce such a policy by using the "OneTimeUse" element. 2.3. Error Response: I would suggest to return a 401 status code for invalid assertions since I see them as invalid credentials. regards, Torsten. Am 15.07.2010 22:50, schrieb Brian Campbell: > I'm gong to join the growing list of people attaching a potential I-D > to an email due to he cut off time for the I-D submissions. Attached > is a draft that aims to tightly define the particular format of a SAML > 2.0 bearer assertion in requesting an access token using the assertion > grant_type. I've been working with Chuck at Salesforce.com on this > and the primary goal is to have some documentation or specification > that is sufficient to facilitate interoperability between > independently developed implementations or products. This, of > course, wouldn't preclude using SAML in other ways - it would only > provide one concrete definition to implement against. > > I intend to submit this as an I-D when the submission process reopens. > Any feedback from this group would be appreciated as well as > thoughts about this eventually becoming a working group draft. > > Thanks, > Brian Campbell > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Torsten Lodderstedt
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Torsten Lodderstedt
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Chuck Mortimore
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Eaton
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Torsten Lodderstedt
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Igor Faynberg
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Anthony Nadalin
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Anthony Nadalin
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Anthony Nadalin
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Eran Hammer-Lahav
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Torsten Lodderstedt
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Prateek Mishra
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Paul Madsen
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Chuck Mortimore
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Prateek Mishra
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Brian Campbell
- Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile … Igor Faynberg