Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Justin Richer <jricher@MIT.EDU> Tue, 29 July 2014 00:40 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D7961A0A92 for <oauth@ietfa.amsl.com>; Mon, 28 Jul 2014 17:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0juoTlooWndu for <oauth@ietfa.amsl.com>; Mon, 28 Jul 2014 17:40:03 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60CDC1A090D for <oauth@ietf.org>; Mon, 28 Jul 2014 17:40:03 -0700 (PDT)
X-AuditID: 12074423-f79bf6d000007580-3b-53d6ed625ffd
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 72.58.30080.26DE6D35; Mon, 28 Jul 2014 20:40:02 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s6T0e1sm017956 for <oauth@ietf.org>; Mon, 28 Jul 2014 20:40:02 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s6T0dxVB026872 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Mon, 28 Jul 2014 20:40:01 -0400
Message-ID: <53D6ED5A.10500@mit.edu>
Date: Mon, 28 Jul 2014 20:39:54 -0400
From: Justin Richer <jricher@MIT.EDU>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com>
In-Reply-To: <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com>
Content-Type: multipart/alternative; boundary="------------030807020703080101060009"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupmleLIzCtJLcpLzFFi42IRYrdT1016ey3YYOtnLouTb1+xOTB6LFny kymAMYrLJiU1J7MstUjfLoEr48/736wF070qnm89xtrAONW0i5GTQ0LARKL300VWCFtM4sK9 9WwgtpDAbCaJKzNLuhi5gOxjjBKr/zWzQzgfmCS+dTeBVfEKqEi8+vmdCcRmEVCVWP7vCzuI zQZkz195CywuKhAlcedSPytEvaDEyZlPWEBsEQEhiec7+4BqODiEBcolzl/hgpg/l1Gi6/QX sF5OATuJTf9eg/UyC4RJtM2eyzaBkX8WklGzkKRmAY1iFrCW+La7CCIsL7H97RxmCFtbYlXv WSZk8QWMbKsYZVNyq3RzEzNzilOTdYuTE/PyUot0zfRyM0v0UlNKNzGCQ9hFeQfjn4NKhxgF OBiVeHg3zL0WLMSaWFZcmXuIUZKDSUmUN/UGUIgvKT+lMiOxOCO+qDQntfgQowQHs5II7/wl QDnelMTKqtSifJiUNAeLkjjvW2urYCGB9MSS1OzU1ILUIpisDAeHkgSv7BugRsGi1PTUirTM nBKENBMHJ8hwHqDh716DDC8uSMwtzkyHyJ9iNOaYc/dYGxPHAhApxJKXn5cqJc4bBjJOAKQ0 ozQPbhosDb1iFAd6Tpj3PMhAHmAKg5v3CmgVE9AqFv/LIKtKEhFSUg2MxaFr2IvWcyxgY/97 dv2S2f/+sM/9mrT7bohlP2/XVMmcv10N2/NfnjuuqbaP7Z3s1KkXpdRi9hwrnlaz/8uUw9EC MpkiEZoik30zFxcdvWfoZreoTUT3YWiFj5rPk76jN0SS2XrCpK3Phi/ZuoVL5kfzxpV/fh02 2r/nTM9jhr5HLvaiOe8tlFiKMxINtZiLihMBR9ZNmB4DAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/G5_NMzoRWjcqy_z--dngErGoCGw
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 00:40:06 -0000

It's analogous to JWT in many ways: when you've got the AS and the RS 
separated somehow (different box, different domain, even different 
software vendor) and you need to communicate a set of information about 
the approval delegation from the AS (who has the context to know about 
it) through to the RS (who needs to know about it to make the 
authorization call). JWT gives us an interoperable way to do this by 
passing values inside the token itself, introspection gives a way to 
pass the values by reference via the token as an artifact. The two are 
complementary, and there are even cases where you'd want to deploy them 
together.

  -- Justin

On 7/28/2014 8:11 PM, Phil Hunt wrote:
> Could we have some discussion on the interop cases?
>
> Is it driven by scenarios where AS and resource are separate domains? 
> Or may this be only of interest to specific protocols like UMA?
>
> From a technique principle, the draft is important and sound. I am 
> just not there yet on the reasons for an interoperable standard.
>
> Phil
>
> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com 
> <mailto:t.broyer@gmail.com>> wrote:
>
>> Yes. This spec is of special interest to the platform we're building 
>> for http://www.oasis-eu.org/
>>
>>
>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig 
>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>
>>     Hi all,
>>
>>     during the IETF #90 OAuth WG meeting, there was strong consensus in
>>     adopting the "OAuth Token Introspection"
>>     (draft-richer-oauth-introspection-06.txt) specification as an
>>     OAuth WG
>>     work item.
>>
>>     We would now like to verify the outcome of this call for adoption
>>     on the
>>     OAuth WG mailing list. Here is the link to the document:
>>     http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>
>>     If you did not hum at the IETF 90 OAuth WG meeting, and have an
>>     opinion
>>     as to the suitability of adopting this document as a WG work item,
>>     please send mail to the OAuth WG list indicating your opinion
>>     (Yes/No).
>>
>>     The confirmation call for adoption will last until August 10,
>>     2014.  If
>>     you have issues/edits/comments on the document, please send these
>>     comments along to the list in your response to this Call for
>>     Adoption.
>>
>>     Ciao
>>     Hannes & Derek
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>> -- 
>> Thomas Broyer
>> /t?.ma.b?wa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth