IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Server / Resource Server Coordination

Justin Richer <jricher@mit.edu> Tue, 13 October 2015 08:36 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A6BE1A1A69 for <oauth@ietfa.amsl.com>; Tue, 13 Oct 2015 01:36:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7G-GE1MTN-Em for <oauth@ietfa.amsl.com>; Tue, 13 Oct 2015 01:36:17 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id C1DF01A011B for <oauth@ietf.org>; Tue, 13 Oct 2015 01:36:16 -0700 (PDT)
X-AuditID: 12074422-f79976d0000078ca-15-561cc27f9741
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 46.C0.30922.F72CC165; Tue, 13 Oct 2015 04:36:15 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t9D8aF9Y028982; Tue, 13 Oct 2015 04:36:15 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t9D8aDWY019065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 13 Oct 2015 04:36:14 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com>
Date: Tue, 13 Oct 2015 04:36:13 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1B6CDB2-F758-45B6-9819-DEA865A8A0F3@mit.edu>
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com>
To: Ofer Nave <odigity@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixG6nolt/SCbMYOcbc4uTb1+xWexec5PF gclj56y77B5LlvxkCmCK4rJJSc3JLEst0rdL4MrYNa2TqaBLqmLu3G62BsYFol2MnBwSAiYS U/9dY4WwxSQu3FvPBmILCSxmkvh50q6LkQvI3sgocWrWQ1aIxEMmia33ckFsZgF1iT/zLjGD 2LwCehKvbl0GqxEWcJKY93w/O4jNJqAqMX1NC1MXIwcHp0CgROtsWZAwC1C47+F/FpAwyJj2 ky4QE7Ulli18DTXRSuJA11UmiK0BEu2HZ4HZIgKKEoc3zWSEOFlWYvfvR0wTGAVnITloFpKD ZiEZu4CReRWjbEpulW5uYmZOcWqybnFyYl5eapGuqV5uZoleakrpJkZw6Loo7WD8eVDpEKMA B6MSD++LSJkwIdbEsuLK3EOMkhxMSqK8mruBQnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4k1qA crwpiZVVqUX5MClpDhYlcd5NP/hChATSE0tSs1NTC1KLYLIyHBxKEryvDgA1ChalpqdWpGXm lCCkmTg4QYbzAA2PPggyvLggMbc4Mx0if4pRUUqc9zVIswBIIqM0D64XlFoS3h42fcUoDvSK MK8zSDsPMC3Bdb8CGswENNiIXQpkcEkiQkqqgVHUwm5Bypv0Pv4DfT9eqAfHbqkrf8PAVlGc ZPeniaP2rI99BccLa6/pbltlC1Rkj5k4WE0rzM+xvrf079J1ugySBfkB+2YWpvwJ9u38/PDw G09JOXWWEnaZN41u0duDLJ15c+8LTO7IKVc5PE+iffaFJWeC5obyOJyPmPYiuWXDMZ92M1Y9 JZbijERDLeai4kQADY9JIQgDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/FtTznf0JBJ1n-JGY-7HIm-Ofb10>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Server / Resource Server Coordination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 08:36:19 -0000

I think what you’re talking about is reasonable, but I also think that you don’t need to invent anything. You’re right that these things aren’t defined in OAuth core itself, but instead they’re defined in companion specs. Most notably you have:


 - JWT (RFC7519): a structured token based on JSON and JOSE that lets you carry information inside the token itself. This can be signed and/or encrypted. The RS needs to understand the token format, but the client can still be oblivious to it and still function just fine. https://tools.ietf.org/html/rfc7519
 - Introspection (soon to be RFC7662, it’s in the final stage of editing as we speak): a simple protocol that allows an RS to query the AS with a token to see if it’s any good and what it’s good for. This returns a JSON document describing the token. https://tools.ietf.org/html/draft-ietf-oauth-introspection
 - UMA’s resource set registration (from Kantara, version 1.0.1 in final review right now): This is part of the User Managed Access (UMA) protocol and it lets an RS register a set of resources at the AS. This is very similar to what you’re describing below in terms of registering scopes for each resource server. https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html


Combining these specs together you’ve got pretty much what you’re after, as best as I can tell. There are a number of implementations of all of these, including the project that I help run, MITREid Connect. https://github.com/mitreid-connect/ Our server issues signed JWTs, provides token introspection, and lets resource server owners register their scopes to expose to users through a simple web UI. 


 — Justin


> On Oct 13, 2015, at 12:13 AM, Ofer Nave <odigity@gmail.com> wrote:
> 
> I know the OAuth 2.0 RFC doesn't specify any standards for coordination between the Authorization Server and the Resource Server, as it's generally assumed that both will be owned or operated by the same entity.
> 
> However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a feature to make it easy for other API developers to delegate to me the responsibility of handling the auth grant process and issuing access tokens.
> 
> It seems to me that a simple version of this could be easily done by:
> 
> 1) Defining an Access Token format that contains within it everything a Resource Server will need to validate it and determine the level of access granted (list of scopes, expiration datetime, HMAC signature using a shared secret).
> 
> 2) Providing a means (basic web UI) for Resource Server owners to register a set of scopes for their service, along with user-understandable descriptions of each to display when they arrive at my Authorization Endpoint.
> 
> While I've read the relevant RFCs, I'm new to the OAuth domain, and would appreciate any feedback. Is this a stupid idea?  Is this a good idea, but redundant with another standard I'm not aware of?
> 
> -ofer
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email