IETF Logo Mail Archive

Re: [OAUTH-WG] Client cannot specify the token type it needs

zhou.sujing@zte.com.cn Mon, 21 January 2013 07:38 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7EF021F882F for <oauth@ietfa.amsl.com>; Sun, 20 Jan 2013 23:38:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.395
X-Spam-Level:
X-Spam-Status: No, score=-98.395 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEl0zwYNsIM5 for <oauth@ietfa.amsl.com>; Sun, 20 Jan 2013 23:37:59 -0800 (PST)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 9F49521F881C for <oauth@ietf.org>; Sun, 20 Jan 2013 23:37:54 -0800 (PST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id 873CD1271DBB; Mon, 21 Jan 2013 15:40:28 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id r0L7bYOS023926; Mon, 21 Jan 2013 15:37:34 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <CAJV9qO_b7WsgDSEG7N52TjOGKMPSRy8+xFWDwux9e_S5sUQj3A@mail.gmail.com>
To: Prabath Siriwardena <prabath@wso2.com>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF9A0DD14D.08A7A28E-ON48257AFA.00296603-48257AFA.0029EA37@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Mon, 21 Jan 2013 15:37:34 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-01-21 15:37:38, Serialize complete at 2013-01-21 15:37:38
Content-Type: multipart/alternative; boundary="=_alternative 0029EA3648257AFA_="
X-MAIL: mse02.zte.com.cn r0L7bYOS023926
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client cannot specify the token type it needs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jan 2013 07:38:00 -0000

Prabath Siriwardena <prabath@wso2.com> 写于 2013-01-21 15:27:57:

> I guess that is a pattern used many scenarios. Requesting client can
> suggest - but its up to the AS to honor it or not...

Not exactly. For example, RS supports two token types, one is bear token, 
another is holer-of-key which is assumed more secure than the first one.
RS realy wants the seconde type, but (a dishonest) client, always 
choosing the weakest, requests the first one. 
what is the meaning for client to specify the token type? 

> 
> Thanks & regards,
> -prabath

> On Mon, Jan 21, 2013 at 12:43 PM, <zhou.sujing@zte.com.cn> wrote:
> 
> William Mills <wmills_92105@yahoo.com> 写于 2013-01-21 13:44:45:
> 
> 
> > Not a problem for the client to request a type, but it may not get it.
> 
> I don't object client requesting a type, but I think it is 
> meaningful only when the requested type is specified by a RS, 
> and client just relay that request to AS. 
> 
> > 
> > From: "zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn>
> > To: Prabath Siriwardena <prabath@wso2.com> 
> > Cc: "oauth@ietf.org WG" <oauth@ietf.org>; William Mills 
> > <wmills_92105@yahoo.com> 
> > Sent: Sunday, January 20, 2013 9:38 PM
> > Subject: Re: Re: Re: [OAUTH-WG] Client cannot specify the token 
> type it needs 
> > 
> > 
> > Well, if RS could specify token type, then Client could transfer it to 
AS, 
> > I think, but it is not a good idea for client itself to specify the 
> > token type. 
> > 
> > 
> > Prabath Siriwardena <prabath@wso2.com> 写于 2013-01-21 13:29:05:
> > 
> > > Think about a distributed setup. You have single Authorization 
> > > Server and multiple Resource Servers. 
> > > 
> > > Although OAuth nicely decouples AS from RS - AFAIK there is no 
> > > standard established for communication betweens AS and RS - how to 
> > > declare metadata between those. 
> > > 
> > > Also there can be Resource Servers which support multiple token 
> > > types. It could vary on APIs hosted in a given RS. 
> > > 
> > > Thanks & regards, 
> > > -Prabath 
> > > 
> > > On Mon, Jan 21, 2013 at 10:48 AM, <zhou.sujing@zte.com.cn> wrote: 
> > > 
> > > The token type shoulbe decided by resource server, which consumes 
> > > access token. 
> > > Client just re-tell the requested token type to AS. 
> > > Client should not specify the token type. 
> > > 
> > > 
> > > oauth-bounces@ietf.org 写于 2013-01-21 13:08:39: 
> > > 
> > > 
> > > > This is true.  It's possible for the AS to vary it's behavior on 
> > > > scope name, but it's presumed the AS and RS have an agreement of 
> > > > what token type is in play.  Likely a good extension to the spec. 
> > > 
> > > > 
> > > > From: Prabath Siriwardena <prabath@wso2.com>
> > > > To: "oauth@ietf.org WG" <oauth@ietf.org> 
> > > > Sent: Sunday, January 20, 2013 7:28 PM
> > > > Subject: [OAUTH-WG] Client cannot specify the token type it needs 
> > > 
> > > > 
> > > > Although token type is extensible according to the OAuth core 
> > > > specification - it is fully governed by the Authorization Server. 
> > > > 
> > > > There can be a case where a single AS supports multiple token 
types 
> > > > based on client request. 
> > > > 
> > > > But currently we don't have a way the client can specify (or at 
> > > > least suggest) which token type it needs in the OAuth access 
> > tokenrequest ?
> > > > 
> > > > Is this behavior intentional ? or am I missing something... 
> > > > 
> > > > Thanks & Regards,
> > > > Prabath 
> > > > 
> > > > Mobile : +94 71 809 6732 
> > > > 
> > > > http://blog.facilelogin.com
> > > > http://RampartFAQ.com 
> > > > 
> > > > _______________________________________________
> > > > OAuth mailing list
> > > > OAuth@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/oauth
> > > > 
> > > > _______________________________________________
> > > > OAuth mailing list
> > > > OAuth@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/oauth 
> > > 
> > 
> > > 
> > > -- 
> > > Thanks & Regards,
> > > Prabath 
> > > 
> > > Mobile : +94 71 809 6732 
> > > 
> > > http://blog.facilelogin.com
> > > http://RampartFAQ.com 
> > 
> 

> 
> -- 
> Thanks & Regards,
> Prabath
> 
> Mobile : +94 71 809 6732 
> 
> http://blog.facilelogin.com
> http://RampartFAQ.com

v2.23.0 | Report a Bug | By Email