Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
Paul Madsen <paul.madsen@gmail.com> Fri, 20 April 2012 12:57 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8392A21F8702 for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 05:57:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hvwYTfd0MijU for <oauth@ietfa.amsl.com>; Fri, 20 Apr 2012 05:57:43 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id F085321F86E0 for <oauth@ietf.org>; Fri, 20 Apr 2012 05:57:42 -0700 (PDT)
Received: by iazz13 with SMTP id z13so16342892iaz.31 for <oauth@ietf.org>; Fri, 20 Apr 2012 05:57:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=06ScMnl8TmPQ2CedjGGfb6lr3epUNNVHnm232+wK0AI=; b=Bs4PuuwQomL+Yy7mAuD4eUZGX1gvjqSljOgpHjnILUE1mDnTTGUcipkFfZQpwC+z4V vVtRWEDD6cYPP9/RNFxB4UV+MtT+vMR83oBV9Q5mO1F1bS+rvIWt88ewx4dgt8qJJpv8 cakCqm5LqZ4hAxp8PFS7nQLGf+gBihLfKplZ0PKE9n/jrZve9hq/V8AksbSYWusCUmuw BRVQ22AGm5PP+zoHB1DeDegEXZhUCnTOIh3kqZ96EZ24nHeZUC4heJoqumWNPCV+rjRj XUP86Y3pcIIZVliZeG/yPQmhOvW5oMR1i0U1Bv+5bSLdglqgwR5qPgiuRHBvCnSwEDAF eQuQ==
Received: by 10.50.187.169 with SMTP id ft9mr5927989igc.59.1334926662561; Fri, 20 Apr 2012 05:57:42 -0700 (PDT)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [99.224.20.155]) by mx.google.com with ESMTPS id m4sm8298665igw.1.2012.04.20.05.57.39 (version=SSLv3 cipher=OTHER); Fri, 20 Apr 2012 05:57:40 -0700 (PDT)
Message-ID: <4F915D42.9030903@gmail.com>
Date: Fri, 20 Apr 2012 08:57:38 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20
MIME-Version: 1.0
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
References: <5jrlua1y80mdxtvpmygf5tp1.1334872982862@email.android.com> <59E470B10C4630419ED717AC79FCF9A9097843@BL2PRD0410MB363.namprd04.prod.outlook.com>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A9097843@BL2PRD0410MB363.namprd04.prod.outlook.com>
Content-Type: multipart/mixed; boundary="------------020900090709080206050101"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2012 12:57:44 -0000
Hi Adam, FWIW I tried to tease out some of the choices & dependencies around OAuth for native apps in the enclosed deck YMMV paul On 4/19/12 6:11 PM, Lewis Adam-CAL022 wrote: > > Hi Paul, > > So by saying ‘more easily’ then there is nothing really inherently > preventing a native implementation from making the HTTP calls to the > AS directly, right? > > My use cases are a bit atypical from the web service driven models > that you guys are solving, but I think the technology should still > fit. The RS that my native client is talking to is **not** a web > service (I realize I’m not outside the bounds of OAuth-proper here). > But it’s easy enough for me to use OAuth to get an access-token and > include that in my message between my native client and my (non-web > service) RS. My RS can still introspect it against an OAuth STS. > > These native apps I’m speaking of, I’m attempting to retrofit with > OAuth, and today they already have native interfaces for accepting a > user’s logon and credentials … to pop a web browser would not be > intuitive to my customer base. > > I don’t see any reason I can’t implement this native within my client, > just want to be sure since the browser trick is such a prominent > trend, I want to be sure that there’s no gotcha I haven’t thought of. > > Tx! > adam > > *From:*Paul Madsen [mailto:paul.madsen@gmail.com] > *Sent:* Thursday, April 19, 2012 5:03 PM > *To:* Lewis Adam-CAL022; jricher@mitre.org > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token > > Using the browser as part of the AS interaction allows you to more > easily collect the users consent. > > Once you get the tokens based on that consent, everything is 'RESTful' > > > > > -------- Original message -------- > Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token > From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> > To: Justin Richer <jricher@mitre.org> > CC: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token > > Hi Justin, > > There is one thing I have not understood about the whole external > browser vs. embedded browser guidance … and that is, why is **any** > browser needed? Java for example has an HTTP library, and OAuth is > RESTful. So why is it necessary to require the web browser at all, > whether external or embedded? Why can’t my native client make RESTful > API calls to the AS and RS natively? > > Tx! > > adam > > *From:*Justin Richer [mailto:jricher@mitre.org] > *Sent:* Friday, April 13, 2012 11:38 AM > *To:* Lewis Adam-CAL022 > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token > > If the mobile device has a web browser (such as a smart phone), then > this is pretty easy, and you've got a couple of options. > > One of the best options when the token is on behalf of an end user is, > in my opinion, to use the authorization code flow like this: First, > register what's called a "public client" with your server -- so you'll > get an ID but not a client secret. With that client ID, register a > custom-scheme callback URI, like "myapp://oauthcallback", and register > your app on the device as the handler for "myapp". > > In your application, to start things off, you fire off a web browser > to the authorization server's authorization endpoint. The user logs in > to the authorization server through the web browser, approves this > copy of your app, and gets redirected to > "myapp://oauthcallback?code=basdf132". Your app grabs the "myapp://" > url and plucks the authorization code off the end of it. Your app then > takes that code and sends it in the background to the token endpoint > to exchange for a token. > > Some key points: > > 1) You need to have access to a web browser on the platform, and it's > considered best practice to push the user to the external browser > application on the platform instead of embedding one. There are a > couple paragraphs in the spec's security considerations section that > talk about this. > 2) Your app is "public" because you can't publish it with a secret at > configuration time. It can, however, keep the tokens secret at runtime. > 3) You need to be very careful with how you store the tokens on the > device -- they need to be in a trusted space where other apps on the > device can't sniff them out. > 4) Another app can try to register "myapp://" and intercept your code > on the way through, so make sure your codes are all one time use and > short lived. > > None of this is just theoretically possible, people are doing it > today. What libraries and stuff you'd be after depends wholly on your > platform (both server and client side). > > -- Justin > > On 04/12/2012 03:01 PM, Lewis Adam-CAL022 wrote: > > Hi all, > > I’ve been talking to some of you off line about this already, but I > need some help in terms of implementation. I would like to use OAuth > as a means to get either a JWT or SAML token to a client running on a > handheld device. This is something that I’m looking to prototype (as > part of a larger project) beginning this week. So, it is important to > me to understand the divide between what is theoretically possible and > what is actually possible. > > Anybody aware of any implementations out there, either vendor or open > source, that I can use for this? > > Tx! > adam > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Justin Richer
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token John Bradley
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Paul Madsen
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Brian Campbell
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token John Bradley
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token William Mills
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Brian Campbell
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Paul Madsen
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Justin Richer