Re: [OAUTH-WG] OAuth 1.0 2-legged scenario
Brian Eaton <beaton@google.com> Mon, 02 May 2011 18:32 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 408C1E0729 for <oauth@ietfa.amsl.com>; Mon, 2 May 2011 11:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKDaAYvBvabZ for <oauth@ietfa.amsl.com>; Mon, 2 May 2011 11:32:51 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id C6B65E06FA for <oauth@ietf.org>; Mon, 2 May 2011 11:32:50 -0700 (PDT)
Received: from wpaz37.hot.corp.google.com (wpaz37.hot.corp.google.com [172.24.198.101]) by smtp-out.google.com with ESMTP id p42IWnuT025072 for <oauth@ietf.org>; Mon, 2 May 2011 11:32:49 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1304361169; bh=HyxP5zfq4wyNjNKaVwEuLOan4Zc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=SfSR0L8O6fN8tArFIXYiXkCDbh0OnQzMPhcHiAmQ8yAyaaftYhwoWodiIjbxHqSRN EvMJIgVotDmt/OUdCbafw==
Received: from pxi9 (pxi9.prod.google.com [10.243.27.9]) by wpaz37.hot.corp.google.com with ESMTP id p42IWlN8002785 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Mon, 2 May 2011 11:32:47 -0700
Received: by pxi9 with SMTP id 9so2379674pxi.14 for <oauth@ietf.org>; Mon, 02 May 2011 11:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8/S3V9DFmWsl1UbB1jj2++uHmXflSYf70QJOeDfNdO4=; b=nk6IM9tYBcKCBStYw7y7uUIMHoj2VPRfhpa4/ym4Rxk3oykOCprxmzb7qyMv2kg6lm YiAMuobvm54G1+gb8Eng==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=PuuVgtq1rUpNqr3Wfz30+sZKcudJprnXzzQDrcHm10FNy3OLyuAYvBohKA7S9MicoM PbQNBIm465fctJUfIAHg==
MIME-Version: 1.0
Received: by 10.142.171.17 with SMTP id t17mr3218354wfe.209.1304361166504; Mon, 02 May 2011 11:32:46 -0700 (PDT)
Received: by 10.142.14.2 with HTTP; Mon, 2 May 2011 11:32:46 -0700 (PDT)
In-Reply-To: <BANLkTini_fuL4EjLOm_W=J=C4N4i1q+kYg@mail.gmail.com>
References: <BANLkTini_fuL4EjLOm_W=J=C4N4i1q+kYg@mail.gmail.com>
Date: Mon, 02 May 2011 11:32:46 -0700
Message-ID: <BANLkTi=1FZUOaLGRgG438-TWbp7JBuoG6g@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Andrew Arnott <andrewarnott@gmail.com>
Content-Type: multipart/alternative; boundary="000e0cd1876afd066304a24f3f95"
X-System-Of-Record: true
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1.0 2-legged scenario
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2011 18:32:52 -0000
Hey Andrew -
Two-legged OAuth is a very confusing term. I've tried to stop using it,
because it means so many different things to different people. I'm not 100%
sure what your use case is...
The current OAuth2 draft handles traditional client-server authentication
with the client credentials flow:
client_id + client_secret => access_token
There is another flow that I think got dropped from the draft(?) but that
various people have implemented:
client_assertion => access_token
That flow has better security than the client_secret flow, since it can use
public key authentication instead of password authentication.
But I wouldn't recommend that desktop side-bar gadgets (your use case) use
either of those flows, since as you point out they can't keep secrets.
We're handling gadgets using OAuth2 as small-view web applications. They
use the user-agent flow with auto-approval of tokens after the user's first
consent ("immediate mode"). For example:
- iframe redirects to google's authentication service
- google's authentication service checks that the callback URL of the iframe
belongs to an app the user trusts
- google redirects back to iframe with a short-lived (one hour) access token
- iframe makes RPCs back to google through various channels. All of the
RPCs are authenticated with the access token
Does that sound like what you're getting at?
Cheers,
Brian
On Sat, Apr 30, 2011 at 8:50 PM, Andrew Arnott <andrewarnott@gmail.com>wrote:
> Does this doc<http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html>accurately describe what the community generally refers to as "two-legged
> OAuth"? If so, I have a couple questions...
>
> What about this is "*two* legged"? I count zero legs. The consumer
> already has a key and secret, and uses them to access resources. Not a
> single one of the 3 legs in standard OAuth's "unauthorized request token,
> authorize, exchange for access token" flow are present in the above linked
> spec by my reading of it.
>
> I expected two-legged OAuth to be more like this:
>
> 1. The client presumably already has a consumer key, but perhaps no
> secret since these clients can rarely keep secrets. I'm imagining clients
> that are desktop sidebar gadgets, perhaps.
> 2. Upon first run, this app performs these two legs:
> 1. Obtains a request token using the standard OAuth 1.0 flow. This
> would traditionally be an unauthorized request token. But in 2-legged OAuth
> this request token is implicitly auto-authorized, for access to a new, empty
> account on the service provider.
> 2. Exchanges the request token for an access token, again using the
> standard OAuth 1.0 flow for that step.
> 3. At this point, the client has a consumer key, perhaps a consumer
> secret, and an access token and token secret. The token represents an empty
> account, but may be filled and later queried by that client. The fact that
> the client has no consumer secret is of little consequence because the
> access token secret is unique for this particularly installation of the
> client and therefore the data is protected.
>
> So... which one is right? And does the "wrong" one have any validity?
>
> Thanks.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
- [OAUTH-WG] OAuth 1.0 2-legged scenario Andrew Arnott
- Re: [OAUTH-WG] OAuth 1.0 2-legged scenario Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 1.0 2-legged scenario Brian Eaton