[OAUTH-WG] OAuth for institutional users

Yunqi Zhang <zhangyunqi.cs@gmail.com> Thu, 02 February 2017 02:36 UTC

Return-Path: <zhangyunqi.cs@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 49262129623 for <oauth@ietfa.amsl.com>; Wed, 1 Feb 2017 18:36:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id vkpd_hqeHdoL for <oauth@ietfa.amsl.com>; Wed, 1 Feb 2017 18:36:48 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F05512948F for <oauth@ietf.org>; Wed, 1 Feb 2017 18:36:48 -0800 (PST)
Received: by mail-wm0-x22c.google.com with SMTP id r141so67558521wmg.1 for <oauth@ietf.org>; Wed, 01 Feb 2017 18:36:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=3OoxMr05lbCkRXxJctzZs1lUVwnftFFMYnnrZq3fn4A=; b=SR/uj3h+7RV/KNuNk5fcq+mxYgcH1g68Clb+dZrne4S9lD89N+t0o0PPwOQ1jjogy4 8vkX1mQOid8bB0YVezyYRr4jgVQ+CnFmiGkFu926JByBWGptDZYEsZGtgndn9Ch+KUW2 agFIaAJaBSjdRSKabEgCweASv63eBor9QgmKyJuEioTOygLr6NdzvRScqdLOTCFFt/u1 tvr8RNNmwa/UkFMaMMOFCodqDNv85TdM6MrGc6z/kVMVgYVNYJa0/c9suFk49PwTYswu Dlum8FBrB5qjrJ24S+QGgiV1oj/vDYq/lNgkCrpcRuWreW5Zn4RPVeF/q+JFTNPPY1ga HRCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3OoxMr05lbCkRXxJctzZs1lUVwnftFFMYnnrZq3fn4A=; b=SzSgu7hnubf402wxumX5MXaSvnnkG15CNYyaMIG76uAdq610qcRnIPJJV1pdNORJT1 rOyzz3y22I3QGes9JpMG2TRhXg0DH9Lotzw1cWgiXfH7nt4E98UtHcRqbWMdygR3jLnz VbCozRD+F4Htpk7POaOeS/rMm8TCp4xryvaTh6tkSx7LVLhq23pRe3xSt1YeZ8xx/He3 em1XH8nC5W1M+OmQ8H8nrcn7ITzF77vRNa4z4voJ4lxt2GZG7OQ+tolpJJF9a85xztnG nAOcEl1GRdA0MaPtgpKwhV2HdPvb9iO6cFe9sFwUhvkZYE/BNKWeWJwl23sDqg8GdAxf g1TQ==
X-Gm-Message-State: AIkVDXLoxL0wY1+EW+gCtOLeGqf0gu9FuJShMO5I0kgyKOIxK6CHGT0NaJgODF6u+WiNwNpZh2FYDYvg5biruw==
X-Received: by with SMTP id 2mr5654887wrq.75.1486003006440; Wed, 01 Feb 2017 18:36:46 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 1 Feb 2017 18:36:45 -0800 (PST)
From: Yunqi Zhang <zhangyunqi.cs@gmail.com>
Date: Wed, 1 Feb 2017 21:36:45 -0500
Message-ID: <CAHtvOp6j+YFdQFK+uK=3MN2vq+4UixUF4shwSPevux9QsZ1yXg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary=94eb2c0d22f05590c9054783097d
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DUKobCLvxFXEzmPd0nxDm0LgzhY>
Subject: [OAUTH-WG] OAuth for institutional users
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 02:37:52 -0000

Hi all,

I'm working on a set of API endpoints to allow institutions to manage their
users and records, and their users to read their own records.

Specifically, each institution will get a {client_id} and a {secret} after
registering with us, which allows them to create users under its
institution using [POST https://hostname/users/]. Then the institution can
also insert records for each user using [POST
https://hostname/users/:user_id/]. Once a user has been created, he/she can
read his/her own records using [GET https://hostname/users/:user_id/].

In this process, there are two types of authentications I would like to
achieve, which I'm thinking about using oauth. However, I am super new on
oauth and have four questions.

Institution authentication (e.g., company FOO will have READ and WRITE
access to https://hostname/ to create users under its own institution,
insert records for specific users): (1) Since this part of the system will
be created and run by the institution, this should be a "client credential
grant" using {client_id} and {secret} of the institution, correct?

End-user authentication (e.g., user John Doe of company FOO will have READ
access to https://hostname/users/:john_doe_user_id/ to read his own
personal records): (2) Because this part of the system will probably run on
the web/mobile app created by company FOO, this should be a "resource owner
credential grant" using {username}, {password} of the specific user,

(3) Because I am allow two types of different authentications, which will
use two types of different {access_token}s I assume, would that be
something weird (or hard to build) under the oauth model?

(4) What if the web/mobile app created by a subset of the companies already
has its own authentication and does not want to create another password for
each of its users, what should I do? For example, company FOO has its own
authentication for its web/mobile app and does not want to bother creating
another password for each of its user (i.e., requires only {username}),
whereas company BAR would like to create another password for each user
(i.e., requires {username} and {password}). What kind of authentication
model should I use for a scenario like this?

Thank you very much for your help!