Re: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow - WWW-Authenticate to advertise OAuth 2.0 support
"Manger, James" <James.H.Manger@team.telstra.com> Mon, 16 May 2016 01:06 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED1A412B026 for <oauth@ietfa.amsl.com>; Sun, 15 May 2016 18:06:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7eTBYZMT0260 for <oauth@ietfa.amsl.com>; Sun, 15 May 2016 18:06:32 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD8112B01F for <oauth@ietf.org>; Sun, 15 May 2016 18:06:31 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="5.24,625,1454936400"; d="scan'208,217"; a="78751045"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipobvi.tcif.telstra.com.au with ESMTP; 16 May 2016 11:05:59 +1000
X-IronPort-AV: E=McAfee;i="5700,7163,8166"; a="148187809"
Received: from wsmsg3707.srv.dir.telstra.com ([172.49.40.81]) by ipcbvi.tcif.telstra.com.au with ESMTP; 16 May 2016 11:05:59 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3707.srv.dir.telstra.com ([fe80::ccc:aa8f:d2a6:740%28]) with mapi; Mon, 16 May 2016 11:05:58 +1000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Nat Sakimura <sakimura@gmail.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>, "barroco@ebu.ch" <barroco@ebu.ch>
Date: Mon, 16 May 2016 11:05:18 +1000
Thread-Topic: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow - WWW-Authenticate to advertise OAuth 2.0 support
Thread-Index: AdGt9pX5Sla7uEe6TK6QOtWWgclRWQBFLJEQ
Message-ID: <255B9BB34FB7D647A506DC292726F6E13BD1663C5F@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E13BD166320F@WSMSG3153V.srv.dir.telstra.com> <CABzCy2D4KVoUHjV67wcjtzUWauyGSAL+KFXix4NoQZkE=0k_ZQ@mail.gmail.com>
In-Reply-To: <CABzCy2D4KVoUHjV67wcjtzUWauyGSAL+KFXix4NoQZkE=0k_ZQ@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E13BD1663C5FWSMSG3153Vsrv_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Ent_cgNWQ6NRBhc7i_3q29la7E4>
Subject: Re: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow - WWW-Authenticate to advertise OAuth 2.0 support
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 01:06:35 -0000
Hi Nat, RFC6750 “OAuth 2.0 Bearer Token Usage” section 3 “The WWW-Authenticate Response Header Field” is a start, but it isn’t really suitable. Firstly, it is a Bearer-specific, whereas we need is a way to say “OAuth 2.0 is available” regardless of the type of temporary credentials that get issued. It doesn’t include pointers to he AS, which CPA presumably require as their example includes this (I guess a link header can work, though including auth-specific info in a dedicated auth- header when auth is required but missing sounds like a decent fit). Curiously, 1 of the 2 example scope values mentioned in RFC6750 section 3 for the WWW-Authenticate header has “openid”, but this is the one values that will never be useful there. scope=openid means the client app wants an id-token; it is pointless for a protected resource (which is the party returning WWW-Authenticate) to ask for it. -- James Manger From: Nat Sakimura [mailto:sakimura@gmail.com] Sent: Sunday, 15 May 2016 1:38 AM To: Manger, James <James.H.Manger@team.telstra.com>; Hannes Tschofenig <hannes.tschofenig@gmx.net>; oauth@ietf.org; barroco@ebu.ch Subject: Re: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow - WWW-Authenticate to advertise OAuth 2.0 support Hi James, Does not the section 3 of RFC6750 talk about it? If you are talking about uri parameter that represents the AS, then, yes, I think it is a good idea to have one, though IMHO it is better to be returned in a link header. Best, Nat On Fri, May 13, 2016 at 04:04 Manger, James <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote: Hi Michael & OAuth-ers, The EBU Cross Platform Auth spec has defined their own "CPA" scheme for the WWW-Authenticate HTTP response header to advertise OAuth 2.0 capability [section 7.7.1 "Authentication challenge" in https://tech.ebu.ch/docs/tech/tech3366.pdf]. WWW-Authenticate: CPA version="1.0" name="Example Authorization Provider" uri="https://ap.example.com/cpa" modes="client,user" It is a shame that there isn’t a standard OAuth way to do this without needing a CPA-specific scheme. P.S. This CPA example is invalid. It needs commas between attributes [https://tools.ietf.org/html/rfc7235#appendix-C]. -- James Manger -----Original Message----- From: OAuth [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of Hannes Tschofenig Sent: Wednesday, 11 May 2016 8:48 PM To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: [OAUTH-WG] OAuth 2.0 for broadcasters Hi all, End of April I had the chance to talk to Michael Barroco (from the European Broadcasting Union) and to Chris Needham (from the BBC) regarding their use of OAuth 2.0 for broadcasters. In March Michael dropped a mail to the OAuth mailing list to make us aware of their work, see https://www.ietf.org/mail-archive/web/oauth/current/msg15969.html The specification they are working on is based on the OAuth Device flow. Michael and Chris walked me through a slide deck offering me more background regarding their work. (I will upload the slide deck to our Wiki but the IETF meeting site seems to be down at the moment.) In addition to the specification code and tutorials have been developed and you can find them here: https://github.com/ebu/cpa-tutorial https://tech.ebu.ch/code I gave Chris & Michael an update of what we are doing in the OAuth working group since I believe some of our currently chartered items could be relevant for them, such as the native apps BCP or the PoP/Token Binding work. I also mentioned that we are looking for feedback from their group on the Device Flow specification. Ciao Hannes From: "Barroco, Michael" <barroco at ebu.ch<http://ebu.ch>> To: "oauth at ietf.org<http://ietf.org>" <oauth at ietf.org<http://ietf.org>> Cc: "tvp-cpa at list.ebu.ch<http://list.ebu.ch>" <tvp-cpa at list.ebu.ch<http://list.ebu.ch>> Date: Mon, 7 Mar 2016 08:43:56 +0000 Dear all, We are contacting you because we noticed that you recently restarted the work on OAuth 2.0 Device Flow. We are in the process of publishing an ETSI standard [1] specifying a protocol with very similar goals. This has been developed by an EBU (European Broadcasting Union) working group involving broadcasters, such as BBC, SRG-RTS, VRT, RTVE, TVP, Global Radio UK, and device manufacturers. Our work on the “Cross Platform Authentication” protocol targets media devices, such as connected TVs and radio receivers. It is based on the early OAuth 2.0 Device Flow draft, but includes additional features driven by broadcast industry requirements. These include: dynamic registration of clients, dynamic discovery of the authorization provider, and issuing of access tokens without requiring association with a user account in order to provide device-based authentication that does not require user sign-in or pairing. Our draft protocol specification is available here [2]. Cross Platform Authentication also specifies several aspects left open to implementers in OAuth 2.0, such as endpoint URL paths, to facilitate interoperability. Also note that reference implementations are available [3]. We would be very interested in working together with you to explain our design requirements and try to align our protocol designs. With best regards, The EBU Cross Platform Authentication group https://tech.ebu.ch/cpa [1] https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=47970 [2] https://tech.ebu.ch/docs/tech/tech3366.pdf [3] https://tech.ebu.ch/code/cpa ------------------------------------------------------------------------------ _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Nat Sakimura Chairman of the Board, OpenID Foundation Trustee, Kantara Initiative
- Re: [OAUTH-WG] Cross Platform Authentication - OA… Manger, James
- Re: [OAUTH-WG] Cross Platform Authentication - OA… Nat Sakimura
- Re: [OAUTH-WG] Cross Platform Authentication - OA… Manger, James