IETF Logo Mail Archive

Re: [OAUTH-WG] Audience parameter in authorization flow

Phil Hunt <phil.hunt@oracle.com> Wed, 21 August 2013 17:19 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CE3C11E83CA for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 10:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.834
X-Spam-Level:
X-Spam-Status: No, score=-5.834 tagged_above=-999 required=5 tests=[AWL=0.765, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KnVPyVYiwKw for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 10:19:48 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id A259611E8120 for <oauth@ietf.org>; Wed, 21 Aug 2013 10:19:48 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7LHJlD3025731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 17:19:47 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LHJjST005152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Aug 2013 17:19:46 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LHJiGf006690; Wed, 21 Aug 2013 17:19:44 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Aug 2013 10:19:44 -0700
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5214EF84.6010300@mitre.org>
Date: Wed, 21 Aug 2013 10:19:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB0778B8-0603-459C-8106-18893D3824AD@oracle.com>
References: <5210F714.80305@gmail.com> <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net> <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com> <5214ED9B.3070406@gmx.net> <1d4b764800be4cff991f02a91948d2c0@BY2PR03MB189.namprd03.prod.outlook.com> <5AA05FFA-99AB-4702-BC20-C209FF26416C@oracle.com> <5214EF84.6010300@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 17:19:54 -0000

Looking at the spec, the problem is you can still only authorize one api at a time.  You couldn't specify multiple audience apis and match them up with scopes.

A while ago I did start to write some stuff up about a structured scope specification where scope becomes a JSON multi-value structure so that multiple scopes and end-points could be defined.

I abandoned it after seeing that the same thing could be accomplished (as Google did) by defining the relationship during registration. I agree, it precludes being able to change on the fly, but came to the conclusion that is pretty rare (we're not talking about browsers for the most part).

Aside…this is why I include "target" in the SCIM Registration draft.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-21, at 9:49 AM, Justin Richer <jricher@mitre.org> wrote:

> I think it makes sense to have both, and this would parallel what we've got with the "scope" parameter today. At registration, the client is saying "this is what I want to be able to use" and the server is saying "this is what you're allowed to use". At auth time, the client is saying "this is what I'm using now" and the user is saying "this is what you're authorized to use now".
> 
> If there were a standardized "audience" parameter at the auth endpoint, it could easily be added to the registration's client model in parallel.
> 
> -- Justin
> 
> On 08/21/2013 12:46 PM, Phil Hunt wrote:
>> Yes.  The trade off is that each client_id becomes associated with a target.
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On 2013-08-21, at 9:45 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>> 
>>> I think binding audience at registration time is to limiting as we see audience being on a per token request level and also see the audience being part of the restrictions for "act as" or "on behalf of" support
>>> 
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
>>> Sent: Wednesday, August 21, 2013 9:41 AM
>>> To: Phil Hunt
>>> Cc: <oauth@ietf.org>
>>> Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
>>> 
>>> That's certainly true although the referenced document did not talk about the registration phase but rather about the time when the client talks to the authorization server to obtain an access token.
>>> 
>>> Maybe UMA has provided a story for this already...
>>> 
>>> On 08/21/2013 06:35 PM, Phil Hunt wrote:
>>>> This could be bound up in the client registration process since oauth clients don't authorize for random "targets".
>>>> 
>>>> Phil
>>>> 
>>>> @independentid
>>>> www.independentid.com
>>>> phil.hunt@oracle.com
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>> 
>>>>> Hi Sergey,
>>>>> 
>>>>> The idea of the audience was to provide a way for the client to indicate the resource server it wants to talk to explicitly rather than overloading the scope field. We certainly need that capability for the MAC token work.
>>>>> 
>>>>> The audience information is provided when the client interacts with the AS.
>>>>> 
>>>>> Ciao
>>>>> Hannes
>>>>> 
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>>> Behalf Of ext Sergey Beryozkin
>>>>>> Sent: Sunday, August 18, 2013 6:32 PM
>>>>>> To: <oauth@ietf.org>
>>>>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>>>> 
>>>>>> Hi Hannes, All,
>>>>>> 
>>>>>> Regarding [1], where would you expect an audience parameter be
>>>>>> provided during the authorization flow ?
>>>>>> 
>>>>>> It appears to me it should be provided during the initial redirect
>>>>>> (similarly to a parameter like redirect_uri).
>>>>>> 
>>>>>> Also, would it make sense to support pre-registered audience values,
>>>>>> example, a client registers and specifies an audience during the
>>>>>> registration ?
>>>>>> 
>>>>>> Thanks, Sergey
>>>>>> 
>>>>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email