IETF Logo Mail Archive

Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

Justin Richer <jricher@mit.edu> Fri, 18 March 2016 13:00 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944F512D525 for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 06:00:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YfZyBzBG-PWb for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 06:00:18 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C1D12D51E for <oauth@ietf.org>; Fri, 18 Mar 2016 06:00:18 -0700 (PDT)
X-AuditID: 12074425-d93ff70000007cc8-27-56ebfbe1ad96
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id F2.10.31944.1EBFBE65; Fri, 18 Mar 2016 09:00:17 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u2ID0GII014380; Fri, 18 Mar 2016 09:00:16 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u2ID0DrR025239 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 18 Mar 2016 09:00:15 -0400
To: George Fletcher <gffletch@aol.com>, Thomas Broyer <t.broyer@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <56EAEB54.8010208@aol.com> <CAEayHEO9b+AQ4bT0Zjy4UvqE9qv6Yv1QivjLZiWe=cuNMppGuA@mail.gmail.com> <56EBF9A8.8070909@aol.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <56EBFBD4.6060502@mit.edu>
Date: Fri, 18 Mar 2016 09:00:04 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <56EBF9A8.8070909@aol.com>
Content-Type: multipart/alternative; boundary="------------090500010200020206020002"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42IR4hRV1n34+3WYwbJpAhZ3ulawW5x8+4rN 4vi/i8wOzB73d69k99g56y67x5IlP5kCmKO4bFJSczLLUov07RK4Mva31xSc0a3Y2HCWrYFx vWIXIyeHhICJxPLHTSxdjFwcQgJtTBJ7rrSxQTgbGSXWT37CDuHcZpI42X6ODaRFWCBKYubK zywgtohAmcTuhYeYIYq6GCU+dh1iB0mwCahKTF/TwgRi8wqoSfzfuYsVxGYBiu9cvRCsRlQg RuL4u3OMEDWCEidnPgEbyimgLvHgdAtYPbNAmMT0S88YJzDyzUJSNgtJCsK2lbgzdzczhC0v 0bx1NpStK7Fo2wp2ZPEFjGyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdC30cjNL9FJTSjcxgsKa 3UV1B+Ocv16HGAU4GJV4eF9UvQ4TYk0sK67MPcQoycGkJMpb+g0oxJeUn1KZkVicEV9UmpNa fIhRgoNZSYT39Q+gHG9KYmVValE+TEqag0VJnJeRgYFBSCA9sSQ1OzW1ILUIJivDwaEkwTvj F1CjYFFqempFWmZOCUKaiYMTZDgP0HBtkBre4oLE3OLMdIj8KUZdjn3r7qxlEmLJy89LlRLn nQBSJABSlFGaBzcHlI4S3h42fcUoDvSWMO9lkCoeYCqDm/QKaAkT0JJjca9AlpQkIqSkGhil Ji5eOHu+p9jbzWKalk+VK65MEHdfu/PS+R0f4vQ2atftalwfwcoqfEFvjVLQyX1bT3fc29e7 VuPAoQDrLXy3ZZryFissOdy7RSPjV0jHq7DCbS8UONaqBPaa8YZvv2Y5bbHuobNvpCJTe7cv XXYq2vhIvLReziLvio+nShbwVQrcvvDfLLtZiaU4I9FQi7moOBEARqtvjCIDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HXSNz6cpJ-I69xq08l1O9UcoAxk>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 13:00:20 -0000

I'm with George. You can do introspection with no audience restriction. 
We implemented introspection with only scope restriction from the RS.

  -- Justin

On 3/18/2016 8:50 AM, George Fletcher wrote:
> I was thinking of goal #2 as addressing the issue of audience in the 
> token. If the RS "authenticates" itself when calling introspection, 
> then the AS could apply the audience restriction for the RS. Is that 
> what you were thinking?
>
> On 3/18/16 3:09 AM, Thomas Broyer wrote:
>>
>> Note that goal #2 is already taken care of by introspection (endpoint 
>> varying response depending on authenticated client/RS), so maybe 
>> should be refined here.
>>
>>
>> Le jeu. 17 mars 2016 18:44, George Fletcher <gffletch@aol.com> a écrit :
>>
>>     Goals:
>>
>>     1. Help the client not send a token to the "wrong" endpoint
>>         a. wrong AS /token endpoint
>>         b. evil RS endpoint(s)
>>     2. Allow good RS to determine if the token being validated was
>>     intended
>>     for that RS
>>
>>     Other high-level goals?
>>
>>     Use cases:
>>
>>     1. RS that supports multiple AS (we've had this in production
>>     since 2011)
>>     2. RS rejects token not issued for use at the RS
>>     3. Client that dynamically supports new RS (say any client that
>>     supports
>>     the jabber API)
>>     4. Client that dynamically supports new AS
>>
>>     Feel free to add to the list :)
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email