IETF Logo Mail Archive

Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for OAuth 2.0 draft

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 18 July 2010 15:48 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C04D3A695A for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.151
X-Spam-Level:
X-Spam-Status: No, score=-2.151 tagged_above=-999 required=5 tests=[AWL=0.097, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgAHWhzMZ8-k for <oauth@core3.amsl.com>; Sun, 18 Jul 2010 08:48:46 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.32]) by core3.amsl.com (Postfix) with ESMTP id D99D03A6979 for <oauth@ietf.org>; Sun, 18 Jul 2010 08:48:45 -0700 (PDT)
Received: from p4ffd3f9f.dip.t-dialin.net ([79.253.63.159] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OaW6r-00051q-22; Sun, 18 Jul 2010 17:48:57 +0200
Message-ID: <4C432262.40204@lodderstedt.net>
Date: Sun, 18 Jul 2010 17:48:50 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <AANLkTinSrPUEauUsSWjVHN0KZu9LxHVaWRpanGAE3ZEC@mail.gmail.com>
In-Reply-To: <AANLkTinSrPUEauUsSWjVHN0KZu9LxHVaWRpanGAE3ZEC@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000504090804060900080302"
X-Df-Sender: 141509
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for OAuth 2.0 draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2010 15:48:48 -0000

Hi Brian,

thank you for taking the effort to write this I-D.

I have the following remarks:

Why do you prescribe to include the token endpoint URL into the 
SubjectConfirmationData and similar data also in the 
AudienceRestriction? I would expect such data in the AudienceRestriction 
only.

Why do you prohibit NotBefore-Attributes?

What the reason for that statement? "If the assertion was issued with 
the intention that the client act autonomously on behalf of the subject, 
an <AuthnStatement> SHOULD NOT be included." Do you expect the OAuth 
authorization server to authenticate the client anyway?

Your I-D states:
"The authorization server MUST ensure that bearer assertions are
       not replayed, by maintaining the set of used ID values for the
       length of time for which the assertion would be considered valid
       based on the NotOnOrAfter attribute in the
<SubjectConfirmationData>."

Why do you want to force a one-time usage for SAML assertions? This is 
to restrictive, in my opinion. Any issuing authority could enforce such 
a policy by using the "OneTimeUse" element.

2.3.  Error Response: I would suggest to return a 401 status code for 
invalid assertions since I see them as invalid credentials.

regards,
Torsten.

Am 15.07.2010 22:50, schrieb Brian Campbell:
> I'm gong to join the growing list of people attaching a potential I-D
> to an email due to he cut off time for the I-D submissions.  Attached
> is a draft that aims to tightly define the particular format of a SAML
> 2.0 bearer assertion in requesting an access token using the assertion
> grant_type.   I've been working with Chuck at Salesforce.com on this
> and the primary goal is to have some documentation or specification
> that is sufficient to facilitate interoperability between
> independently developed implementations or products.    This, of
> course, wouldn't preclude using SAML in other ways - it would only
> provide one concrete definition to implement against.
>
> I intend to submit this as an I-D when the submission process reopens.
>    Any feedback from this group would be appreciated as well as
> thoughts about this eventually becoming a working group draft.
>
> Thanks,
> Brian Campbell
>    
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email