Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience

Nat Sakimura <sakimura@gmail.com> Wed, 20 January 2016 23:06 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 505051B2A66 for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 15:06:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vBbj43BpK6X for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 15:06:14 -0800 (PST)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC6ED1B2A5B for <oauth@ietf.org>; Wed, 20 Jan 2016 15:06:13 -0800 (PST)
Received: by mail-qk0-x22c.google.com with SMTP id s5so9508478qkd.0 for <oauth@ietf.org>; Wed, 20 Jan 2016 15:06:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=vwe9oJP28H9h43/qzbzcI78+caDoGb9+YMEum8RfbS8=; b=UD05Krn0TPsVnxY+i4EMuVDdshWTZSfVV5SK/WORYuEFOpI7mNQIb2igh6eOykbxYJ /fEDp31WYwtzXXczo9RgmTvhSzLRCHZAdlbDAhxI2oTe65TY10ZQg5MReJNajTOhfJNz QsoIcPeK+zAFvRqHmpNd3kGm+zdsovhz2pqQ181LkGgZyGPhpiOyVp82PbbhB8jVNOjt NwfjpHhq6z+OFDtVlyG1/m8vTDloXxkx1DSO8uMEJuG4OOBjRUH4zRZiu+mKwPRPQW9J /1qD+me95l9W/BaIswQH7xXirtl7honjDf7Nsn4FmQA03t2s8lR9anroO6eBi7SuDtlQ ADdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=vwe9oJP28H9h43/qzbzcI78+caDoGb9+YMEum8RfbS8=; b=KhseaYDvllgT6uQ8+rNHJrkER2uCTeu6JZJEzKzAaEwpXgYyZNhqDixw3kSIxnmrbO spaQvzLoyvsrzYdY4PQHdHVhTO4cm+43eUICmMmmcuNOqldxfsSJMZJRlwp+TUibGZSY z3/YmkKzEA1tBd4B5u2AASShyehiVnHQfqdAvOh+EJW0ovm6vfnguZgqGR4s8BGuULgD BynlISGUJaZnzBD4u0Vl+c8hWAQBebOULlO4XUiHsxUS1yIZxGhmm8Ai80+HLRgQK/9k g8E3YI2fgzCqt19eMlU6V8PnGeeol8JocTl9vIZ0rwbSQo8hUM78BBp9SQKL+tAmixkn uNGQ==
X-Gm-Message-State: ALoCoQkzhI+A11IHJqIHmlzb+O0cSLLQJhlBr+b2hdRT7W8/Rz51Wb5df+GXRDAM4MvafG1SYvKikMJN2LYLRpkT5fh+hcaNdA==
X-Received: by 10.55.20.211 with SMTP id 80mr48100919qku.67.1453331172898; Wed, 20 Jan 2016 15:06:12 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCSpWFwyvk=XHP4b_zxzu-zrMYsS-axF6csO90-ahmkueQ@mail.gmail.com> <BY2PR03MB4423033D5604E9E36B20C23F5CA0@BY2PR03MB442.namprd03.prod.outlook.com> <5CA9073D-BBF7-48BD-BEC5-1F626E8C3818@mit.edu> <8EB68572-DA59-482D-A660-FA6D9848AAD2@oracle.com> <ade5692aa1afa2d9d79b8ac7a55bf150@lodderstedt.net> <5698CB3D.1030306@gmail.com> <69B0E23E-818A-4FE4-81A0-A8106EB6C312@ve7jtb.com> <5698F885.3030009@gmail.com> <569A69A5.7020006@connect2id.com> <A1C1786C-BE13-4D0F-9541-BEAE4DB8F284@mit.edu> <569ABB30.9060703@gmail.com> <569D0AE6.3060708@mit.edu> <569D0E86.60908@gmail.com> <569D1297.2000805@mit.edu> <569D1631.4030705@gmail.com> <569E1804.8010803@gmail.com> <569F60B3.3030501@gmail.com> <569F9955.9030001@gmx.net> <CA+k3eCTzX+DkuEzb5XdTxtouOgkdMfZxp=Ue4ZvDJLf0wCFdPA@mail.gmail.com> <BY2PR03MB442A47609A3B5AD87169294F5C20@BY2PR03MB442.namprd03.prod.outlook.com> <1D483C18-6103-4197-9AF0-D4FD80E8F17E@ve7jtb.com> <CABzCy2BZvvqZxmEGdf1b61Ra52W2jo-vak1gEHQ0_KhKg3aBNA@mail.gmail.com> <C45284CB-7E6C-4DDA-8475-6C608984D909@ve7jtb.com> <BY2PR03MB44200DD63CBEF54423164E6F5C20@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB44200DD63CBEF54423164E6F5C20@BY2PR03MB442.namprd03.prod.outlook.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Wed, 20 Jan 2016 23:06:02 +0000
Message-ID: <CABzCy2DZ7mbHfVKkObWqXdihb2agf1nLQoKFMmwk0K4gfMu+aA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>, John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a114495464d3d7a0529cc08a9
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Ej953KlB0arRQT8vrGC0mfIfv00>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 23:06:17 -0000

Correct. I am not saying specifying resource URI as audience is a bad
thing. In fact, I need it as described below. I am just asking for adding
another option.

For John's case, if the client started from an abstract resource type, then
the token endpoint first responds with the tokens and set of possible
resource endpoints, preferably with more specific rels.
Then, the client can make a second token request using the refresh token,
this time with the concrete resource endpoint URI, to get the access token
to that location.

Nat


2016年1月21日(木) 7:56 Mike Jones <Michael.Jones@microsoft.com>;:

> As I see it, John just said the same thing I did in parallel, using
> different words.
>
>
>
> *From:* John Bradley [mailto:ve7jtb@ve7jtb.com]
> *Sent:* Wednesday, January 20, 2016 2:56 PM
> *To:* Nat Sakimura
> *Cc:* Mike Jones; oauth
>
>
> *Subject:* Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience
>
>
>
> We have been talking about providing the resource or audience as the input.
>
>
>
> The resource type would be more abstract than audience.
>
>
>
> That is something we would need to discuss in a spec.
>
>
>
> The problem foe POP is that the same scope may cover multiple resource
> endpoints.  Especially when using a symmetric key you need to specify what
> Resource server you are sending the token to so that it can be encrypted
> with the correct key.
>
>
>
> John B.
>
> On Jan 20, 2016, at 7:47 PM, Nat Sakimura <sakimura@gmail.com>; wrote:
>
>
>
> +1
>
>
>
> Also, I have always thought that it would be good if one could ask for a
> particular resource type, and the server could respond with the actual
> location of it with the associated access token. This is because it is
> often undesirable to tell the client the location of the resource before
> the authorization from the privacy point of view.
>
>
>
> So, the processing flow in this case will be:
>
>
>
>    1. The client request an access to the resource type in the scope of
>    the authorization request.
>    2. The client request an access token to the resource type to the
>    token endpoint with audience/resource/scope parameter.
>    3. The token endpoint responds with token response with oauth-meta
>    header indicating the URL of the resource as in  draft-sakimura-oauth-meta.
>
> Best,
>
>
>
> Nat
>
>
>
>
>
> 2016年1月21日(木) 7:27 John Bradley <ve7jtb@ve7jtb.com>;:
>
> +1
>
>
>
> On Jan 20, 2016, at 7:25 PM, Mike Jones <Michael.Jones@microsoft.com>;
> wrote:
>
>
>
> As mentioned in Prague, Azure Active Directory uses a “resource” request
> parameter to supply the URL of the resource server that the access token is
> intended for.  However, I believe that Google uses scope values for this
> and some Microsoft services are moving towards using scope values as well.
> Sorting this out soon would be good.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] *On
> Behalf Of *Brian Campbell
> *Sent:* Wednesday, January 20, 2016 2:18 PM
> *To:* Hannes Tschofenig
> *Cc:* oauth
> *Subject:* Re: [OAUTH-WG] Status of draft-tschofenig-oauth-audience
>
>
>
> There does seem to be a need to provide the client a means of telling the
> AS the place(s) and/or entity(s) where it intends to use the token it's
> asking for. And that it's common enough to warrant it's own small spec.
> This has come up several times before and I think has some consensus behind
> doing it. What needs to happen to move forward?
>
> The concept shows up in these three different drafts (that I know of
> anyway):
>
>
> https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00#section-3 has
> an audience parameter
>
> https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-3 has
> an aud parameter
> http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-03#section-2.1 has
> both an audience and a resource resource
>
> All the above apply only to the token request. However, there are ways of
> requesting/obtaining access tokens that don't involve the token endpoint
> <https://tools.ietf.org/html/rfc6749#section-4.2> so I think it follows
> that  the same facility should be available for the authorization request
> too.
>
>
>
> On Wed, Jan 20, 2016 at 7:27 AM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net>; wrote:
>
> Hi Sergey,
>
> that's a good question. After this document was published the
> functionality had been integrated into the PoP solution document.
> Recently, I got feedback that the functionality should be more generic
> and it is independent of the PoP work.
>
> So, I guess it is a good time to discuss the needed functionality and
> where it should be included.
>
> Ciao
> Hannes
>
>
>
> On 01/20/2016 11:25 AM, Sergey Beryozkin wrote:
> > Hi
> >
> > Given that the draft-tschofenig-oauth-audience [1] has expired, I'm
> > wondering if it is still relevant.
> >
> > I know the token introspection response can provide the audience
> > value(s), but the question is really how a client is associated with a a
> > given audience in the first place. As such [1] may still make sense, for
> > example, I can think of two options:
> > 1. the client audiences are set out of band during the client
> > registration time and all the tokens issued to that client will be
> > restricted accordingly
> > 2. the client is requesting a specific audience during the grant to
> > token exchange as per [1]
> >
> > I guess 1. is how it is done in practice or is 2. is also a valid option
> ?
> >
> >
> > Thanks, Sergey
> >
> >
> > [1] https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>