Re: [OAUTH-WG] Token Transfer Protocol

Justin Richer <> Mon, 18 October 2010 16:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 95EC03A6E0B for <>; Mon, 18 Oct 2010 09:14:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.503
X-Spam-Status: No, score=-6.503 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x-rX86vl3dmR for <>; Mon, 18 Oct 2010 09:14:31 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 752513A6E2E for <>; Mon, 18 Oct 2010 09:13:36 -0700 (PDT)
Received: from (localhost.localdomain []) by (8.13.1/8.13.1) with ESMTP id o9IGF3Qe015677 for <>; Mon, 18 Oct 2010 12:15:03 -0400
Received: from imchub1.MITRE.ORG ( []) by (8.13.1/8.13.1) with ESMTP id o9IGF2gq015651; Mon, 18 Oct 2010 12:15:02 -0400
Received: from [] ( by imchub1.MITRE.ORG ( with Microsoft SMTP Server id; Mon, 18 Oct 2010 12:15:02 -0400
From: Justin Richer <>
To: Niklas Neumann <>
In-Reply-To: <>
References: <>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 18 Oct 2010 12:15:02 -0400
Message-ID: <1287418502.6627.640.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [OAUTH-WG] Token Transfer Protocol
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Oct 2010 16:14:34 -0000

The ability to securely transfer tokens between systems is the last
missing part to the redelegation problem. Right now, we can have an
authorized client request a new access token with an equal or lesser
scope and be granted that with no user interaction. That token can then
be handed, using the below or similar mechanism, to another system for
its own access. I'm assuming this would work with tokens containing a
secret part (to be used for signing) as well as plain bearer tokens,

 -- Justin

On Mon, 2010-10-18 at 12:03 -0400, Niklas Neumann wrote:
> Hello everybody,
> I am currently working on a projected related to authentication and 
> secure token transfer between multiple devices. As such we are employing 
> a simple protocol that handles token transfers independent of the actual 
> type of token. We have adapted the protocol to be used with OAuth tokens 
> and submitted it as an Internet Draft: 
> I was wondering if there is interest in employing such a protocol in 
> cases where the HTTP redirection schemes of OAuth are not available or 
> not working well (e.g. desktop applications without access to a user 
> agent or authentication from a different device/application than the one 
> accessing the consumer).
> Compared to other proposals such as 
> draft-dehora-farrell-oauth-accesstoken-creds the STTP is more 
> heavyweight but in turn it also has more options. With regards to 
> authentication we didn't use SASL for complexity reasons in our work 
> initialy but I don't see any reason not to include it if this is deemed 
> more appropriate.
> The work that the draft is based on is still ongoing. Please understand 
> the draft as no more than a discussion proposal on how OAuth could be 
> opened to non-web-based environments and scenarios that involve multiple 
> devices without overloading the OAuth specification itself. I am happy 
> to further improve the draft if you think this might be a viable option.
> Best regards
>    Niklas