Re: [OAUTH-WG] Assertion flow: please add optional refresh_token in response
George Fletcher <gffletch@aol.com> Tue, 15 June 2010 15:40 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBF633A6989 for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 08:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.973
X-Spam-Level:
X-Spam-Status: No, score=-0.973 tagged_above=-999 required=5 tests=[AWL=-0.975, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGWDknOXmbQJ for <oauth@core3.amsl.com>; Tue, 15 Jun 2010 08:40:21 -0700 (PDT)
Received: from imr-mb01.mx.aol.com (imr-mb01.mx.aol.com [64.12.207.164]) by core3.amsl.com (Postfix) with ESMTP id F2B873A699F for <oauth@ietf.org>; Tue, 15 Jun 2010 08:40:20 -0700 (PDT)
Received: from mtaout-db02.r1000.mx.aol.com (mtaout-db02.r1000.mx.aol.com [172.29.51.194]) by imr-mb01.mx.aol.com (8.14.1/8.14.1) with ESMTP id o5FFdpoq008017; Tue, 15 Jun 2010 11:40:06 -0400
Received: from palantir.local (unknown [10.181.183.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id CF166E000235; Tue, 15 Jun 2010 11:40:04 -0400 (EDT)
Message-ID: <4C179ED4.1060303@aol.com>
Date: Tue, 15 Jun 2010 11:40:04 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Andrew Arnott <andrewarnott@gmail.com>
References: <AANLkTil1viRqVgwJzmq7N1W21TPeT5RuclBF5DmPvVVM@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343B3EBB68C9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTilRNaMzu9018HcZLb_j-vKbh4Mtl1LR_BYtnro-@mail.gmail.com> <A3F81FEE-7C52-4DD1-8261-C86FAFF3E1D5@gmail.com> <AANLkTilxAaLgOZwCDXnCvTII6Q82cCs7aajL2pxb7ij3@mail.gmail.com>
In-Reply-To: <AANLkTilxAaLgOZwCDXnCvTII6Q82cCs7aajL2pxb7ij3@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080507090404020701090908"
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:448699072:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33c24c179ed42bba
X-AOL-IP: 10.181.183.108
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Assertion flow: please add optional refresh_token in response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 15:40:23 -0000
To me, the use case described is more similar to the "Username and Password flow" but where the user credentials are NOT username & password. Should we have two "user credential" flows? (1) Username and Password and (2) assertion/token? I can see it being useful to have a "user credential" flow that allows for other means of verifying the user identity than just username and password. Otherwise, I think the semantics of the flow should be the same. Thoughts? Thanks, George On 6/15/10 11:19 AM, Andrew Arnott wrote: > Hi Dick, > > Responses inline. > > On Tue, Jun 15, 2010 at 7:12 AM, Dick Hardt <dick.hardt@gmail.com > <mailto:dick.hardt@gmail.com>> wrote: > > Why can the client app access the AS to get an access token but > not the corporate network to get a new assertion? > > > The corporate network where the AD lives is behind a firewall, whereas > the AS is on the public Internet. So when the client is on the public > Internet, the AD is not available but the AS is. Also, the resource > server is on the public Internet (probably obvious). > > How does the client app get the assertion to begin with? How did > delegation from the user happen? > > > There are two possible scenarios here, which I will outline and inject > the steps in each scenario: > > 1. The client app is initially launched while on the corporate network > 1. The client sends an HTTP request to /an /endpoint on a > /corpnet /AS(1) (directly -- not through a browser), which > sniffs the request for NTLM credentials (or however > Windows auth does it) and if present immediately responds > with an authorization code (a.k.a. verification code) > rather than prompting the user for permission. This is > considered reasonable in this application because the > client is already running on a trusted machine and the > privacy ramifications are minimal. > 2. The client app exchanges the authorization code for a > refresh token and an access token at the AS(2) token > endpoint, which lies outside the corporate firewall, and > can thereby refresh access tokens when the client is off > corpnet. > 3. All resource requests use an OAuth access token to gain > access. > 2. The client app is initially launched /off/ the corporate network. > 1. This just uses the standard user agent or web server > flows, including prompting the user for authorization. > > > Would you elaborate more on the use case so that we can understand > the full trust model? > > > Perhaps my description above covers this question. I'll just add that > the goal is to make the authorization process as painless (or > altogether absent from the user's point of view) as possible. We're > also considering providing customized app downloads to each user based > on the Windows auth user that downloads the .zip file, such that the > client app includes a file containing the authorization code encoded > for that particular user. > > > The assertion flow was intended for autonomous clients rather than > user delegation -- hence Brian's response and mine that this is a > different flow if the access token is for user delegation. > > > That makes sense. > > Are you envisioning the client makes a call to AD to get an > assertion where the call is automagically authenticated as the > user by NTLM? > > > Perhaps my scenarios above clarified this. My client never explicitly > calls AD though. Whether that happens implicitly by the Windows > platform, I don't know. > > What do you envision being the relationship between the AS and AD? > What authority does the AS have? How long is the refresh token > valid for? > > > The refresh token would be valid until the user logged into the AS (or > RS perhaps) to revoke it. The AD is altogether unaware of the AS, but > the AS trusts the AD to have authenticated the user and trusts the AD > assertion. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Assertion flow: please add optiona… Brian Eaton
- [OAUTH-WG] Assertion flow: please add optional re… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… Eran Hammer-Lahav
- Re: [OAUTH-WG] Assertion flow: please add optiona… Dick Hardt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… Dick Hardt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Dick Hardt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… George Fletcher
- Re: [OAUTH-WG] Assertion flow: please add optiona… Torsten Lodderstedt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Brian Eaton
- Re: [OAUTH-WG] Assertion flow: please add optiona… Torsten Lodderstedt