Re: [OAUTH-WG] Oauth Server to Server
Chuck Mortimore <cmortimore@salesforce.com> Tue, 24 September 2013 14:57 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3A5A11E8139 for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 07:57:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.143
X-Spam-Level:
X-Spam-Status: No, score=-1.143 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byX4MKeuZ7vZ for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 07:57:43 -0700 (PDT)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) by ietfa.amsl.com (Postfix) with ESMTP id 9562F11E8145 for <oauth@ietf.org>; Tue, 24 Sep 2013 07:57:41 -0700 (PDT)
Received: by mail-wi0-f173.google.com with SMTP id hq15so3940022wib.6 for <oauth@ietf.org>; Tue, 24 Sep 2013 07:57:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:from:mime-version:in-reply-to:date :message-id:subject:to:cc:content-type; bh=twA/rua7B78EAYqvAjzE3OP373mtHyBQmUnU72ga8mQ=; b=DKdJ7K0WF/2TlYy7cPzzMmdbPceb4ER/82HFTLX1a0pemaop80oynY1gDR/WoF92i8 D4xugUaDYr78yNeg05RgDJ1l4fve35JUgkuWf2rPsGFpKVqQqvydc4lnJtwr8jU/eKrk tXNsUmdz6K2dLob1cB6wYoR2R/ZtYLB3hWEEKiJyKypAlNA2DZlLabAnosN3rf03Q80F TAIMiq+M8UAXjKPsC0oJve0ebjdily2fqylP49T7dapYzWfuMsUJt2FnRU5G0Phupweu Ba6UxEFKxfuOr+QlAMDqy3Ih6aTj8YRlThOoOioQZzMMXuO8BD9GKHC/A2HQiG9NYY/x SfiA==
X-Gm-Message-State: ALoCoQle/60BNGdzKUUeZaezK/yj8aQxwq3Nueyl/Lhb8I13z1TVMfLLkd0jY9B114Uvx4cgzc7k
X-Received: by 10.194.78.78 with SMTP id z14mr22514568wjw.32.1380034660129; Tue, 24 Sep 2013 07:57:40 -0700 (PDT)
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <CA+k3eCSVwT15wBwuCZNy1EuiVOSwVg+TThVvWnbwZ1wHVvfA-A@mail.gmail.com> <7558541E-3517-4F71-A049-6143D4247738@adobe.com>
From: Chuck Mortimore <cmortimore@salesforce.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <7558541E-3517-4F71-A049-6143D4247738@adobe.com>
Date: Tue, 24 Sep 2013 07:57:36 -0700
Message-ID: <1510634430014420341@unknownmsgid>
To: Antonio Sanso <asanso@adobe.com>
Content-Type: multipart/alternative; boundary="047d7bf0d524b1f65b04e7225b03"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 14:57:48 -0000
I'm not sure I understand your point here. I don't believe there is anything custom or special about the google implementation here vs JWT. It looks identical to our implementation. Can you elaborate? - cmort On Sep 24, 2013, at 5:57 AM, Antonio Sanso <asanso@adobe.com> wrote: Hi Brian, thanks a lot for your pointer. What the custom Google flow provides more than the oauth jwt bearer draft is IMHO an explicit way to build JWT without any 'human interaction' so a server can handle the construction of an expired JWT bearer token on his own. This can of course be figured out by any implementer (as the Google folks obviously did) but it would be nice to provide this black on white on a spec IMHO regards Antonio On Sep 24, 2013, at 2:35 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: Might this http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer be what you're looking for? On Tue, Sep 24, 2013 at 6:08 AM, Antonio Sanso <asanso@adobe.com> wrote: > Hi *, > > apologis to be back to this argument :). > > Let me try to better explain one use case that IMHO would be really good > to have in the OAuth specification family :) > > At the moment the only "OAuth standard" way I know to do OAuth server to > server is to use [0] namely Resource Owner Password Credentials Grant. > > Let me tell I am not a big fun of this particular flow :) (but this is > another story). > > An arguable better way to solve this scenario is to user (and why not to > standardise :S?) the method used by Google (or a variant of it) see [1]. > > Couple of more things: > > - I do not know if Google would be interested to put some effort to > standardise it (is anybody from Google lurking :) e.g.Tim Bray :D ) > - I am not too familiar with IETF process. Would the OAuth WG take in > consideration such proposal draft?? > > Thanks and regards > > Antonio > > [0] http://tools.ietf.org/html/rfc6749#section-4.3 > [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Brian Campbell
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Bill Mills
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Phil Hunt
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Justin Richer
- Re: [OAUTH-WG] Oauth Server to Server Todd W Lainhart
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso