Re: [OAUTH-WG] First draft of OAuth 2.0
Chuck Mortimore <cmortimore@salesforce.com> Wed, 24 March 2010 16:10 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 774323A6BB4 for <oauth@core3.amsl.com>; Wed, 24 Mar 2010 09:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.502
X-Spam-Level:
X-Spam-Status: No, score=-4.502 tagged_above=-999 required=5 tests=[AWL=0.967, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5AJOH0nZHIdq for <oauth@core3.amsl.com>; Wed, 24 Mar 2010 09:10:17 -0700 (PDT)
Received: from exprod8og108.obsmtp.com (exprod8og108.obsmtp.com [64.18.3.96]) by core3.amsl.com (Postfix) with SMTP id 941F83A6BB0 for <oauth@ietf.org>; Wed, 24 Mar 2010 09:10:16 -0700 (PDT)
Received: from source ([204.14.239.239]) by exprod8ob108.postini.com ([64.18.7.12]) with SMTP ID DSNKS6o5fa7xCppzlE5n9hSASWe5O4LM1qjc@postini.com; Wed, 24 Mar 2010 09:10:37 PDT
Received: from EXSFM-MB01.internal.salesforce.com ([10.1.127.45]) by exsfm-hub4.internal.salesforce.com ([10.1.127.8]) with mapi; Wed, 24 Mar 2010 09:10:36 -0700
From: Chuck Mortimore <cmortimore@salesforce.com>
To: Anthony Nadalin <tonynad@microsoft.com>, David Recordon <recordond@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Wed, 24 Mar 2010 09:10:36 -0700
Thread-Topic: [OAUTH-WG] First draft of OAuth 2.0
Thread-Index: AQHKymB6nlc9Lf05x0iW0aEXo7cly5H/3E6AgAACYICAAGPdgIAAQq1wgAC9G8o=
Message-ID: <77AEC44D4DA08A46ADAA723286626BC12E2D43FA6E@EXSFM-MB01.internal.salesforce.com>
References: <OFF96BDDB5.0F452F7D-ON802576EF.003FF4EA-802576EF.0040455E@ie.ibm.com> <E558602B-48A1-4FB9-AB9D-0BC94DFCCC18@lodderstedt.net> <fd6741651003231047s419db471x98098a2e46aab168@mail.gmail.com>, <A08279DC79B11C48AD587060CD93977125EDADAF@TK5EX14MBXC103.redmond.corp.microsoft.com>
In-Reply-To: <A08279DC79B11C48AD587060CD93977125EDADAF@TK5EX14MBXC103.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] First draft of OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2010 16:10:18 -0000
Agreed - I think that stems from my original note...sorry if it accidentally put words in your mouth. I do believe that the original flow was authored by Dick when he was at Microsoft, and it's my understanding that you've actually similar pushed code; I've at least seen fairly detailed information indicating it can be used for integration of ADFS and Azure. Is Microsoft interested in the flow? I have lot's of mutual Microsoft customers that ask me to support the pattern; I really hope that you see the same and are getting behind this. -cmort ________________________________________ From: Anthony Nadalin [tonynad@microsoft.com] Sent: Tuesday, March 23, 2010 9:53 PM To: David Recordon; Torsten Lodderstedt; Chuck Mortimore; Mark Mcgloin Cc: OAuth WG Subject: RE: [OAUTH-WG] First draft of OAuth 2.0 I don't think that Microsoft ever indicated that we need the SAML flows. -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of David Recordon Sent: Tuesday, March 23, 2010 10:48 AM To: Torsten Lodderstedt; Chuck Mortimore; Mark Mcgloin Cc: OAuth WG Subject: Re: [OAUTH-WG] First draft of OAuth 2.0 Hey Chuck, Thanks for rewriting the SAML flow into the style of my draft! I really appreciate it. I originally dropped the SAML flow because I hadn't seen support for it on the mailing list(s) the past two months. I think that our default should be making the spec as short and simple as possible so removed a few things from WRAP in order to start conversations like this one. It's now clear that Google, Microsoft, Salesforce, and IBM all need the SAML profile. Chuck, I'll merge your wording in. Want to be listed as an author? We're also going to need to figure out which flows should be in the core spec versus which should be developed at the same time but in individual documents. Thanks, --David On Tue, Mar 23, 2010 at 4:50 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > +1 for assertion support > > what about enhancing the flow #2.4 to accept any kind of user > credentials (username/password, SAML assertions, other authz servers > tokens) > > regards, > Torsten. > > Am 23.03.2010 um 12:42 schrieb Mark Mcgloin <mark.mcgloin@ie.ibm.com>: > >> +1 for assertion profile. Was there any reason why it was dropped? >> >> On 3/23/10, Chuck Mortimore wrote: >>> >>> Just getting a chance to review this - I apologize for not getting >>> this >> >> before the meeting started. >> >>> We'd like to see some form of an Assertion Profile, similar to >>> section >>> 5.2 >> >> from draft-hardt-oauth-01. We have strong customer use-cases for an >> assertion based flow, specifically SAML bearer tokens, and I >believe >> Microsoft may have already shipped a minor variation on this ( >> wrap_SAML ) in Azure. >> >> >> Mark McGloin >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] First draft of OAuth 2.0 Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Luke Shepard
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Mark Mcgloin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Paul Madsen
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Brian Eaton
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Hans Granqvist
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Marius Scurtescu