Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
George Fletcher <gffletch@aol.com> Fri, 18 March 2016 12:50 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB3E12D570 for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 05:50:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mx.aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jki42-EaPEHD for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 05:50:48 -0700 (PDT)
Received: from omr-a005e.mx.aol.com (omr-a005e.mx.aol.com [204.29.186.50]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D565F12D556 for <oauth@ietf.org>; Fri, 18 Mar 2016 05:50:47 -0700 (PDT)
Received: from mtaout-aac02.mx.aol.com (mtaout-aac02.mx.aol.com [172.27.2.34]) by omr-a005e.mx.aol.com (Outbound Mail Relay) with ESMTP id 00736380004E; Fri, 18 Mar 2016 08:50:47 -0400 (EDT)
Received: from [10.172.102.179] (unknown [10.172.102.179]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aac02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id C49C63800008F; Fri, 18 Mar 2016 08:50:46 -0400 (EDT)
To: Thomas Broyer <t.broyer@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <56EAEB54.8010208@aol.com> <CAEayHEO9b+AQ4bT0Zjy4UvqE9qv6Yv1QivjLZiWe=cuNMppGuA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56EBF9A8.8070909@aol.com>
Date: Fri, 18 Mar 2016 08:50:48 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <CAEayHEO9b+AQ4bT0Zjy4UvqE9qv6Yv1QivjLZiWe=cuNMppGuA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------030006020300010308010204"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1458305446; bh=6p1UF6rBWxrCLfyiB3eJ9UabgoY+/Jk5VxHuzbhiQ94=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=0q1jQzXRSPYBXzFDXTb+h0f3eaf8+dV7scp7PIywygkVyc01dqBN4uQbyekVXJo21 Q6Ph3DJdKMeNiPJM4AAq8T+ugbTKo1O3wfVsEivR4h61Epsb/WBH9GrC1XDbNOJVyg CkY/i8ks+eQQeWyO1RJCsvml4n24M9uKaJnwKal4=
x-aol-sid: 3039ac1b022256ebf9a6417d
X-AOL-IP: 10.172.102.179
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JGX8SIMzP36I2JqigXQbWb_W4ZU>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 12:50:50 -0000
I was thinking of goal #2 as addressing the issue of audience in the token. If the RS "authenticates" itself when calling introspection, then the AS could apply the audience restriction for the RS. Is that what you were thinking? On 3/18/16 3:09 AM, Thomas Broyer wrote: > > Note that goal #2 is already taken care of by introspection (endpoint > varying response depending on authenticated client/RS), so maybe > should be refined here. > > > Le jeu. 17 mars 2016 18:44, George Fletcher <gffletch@aol.com > <mailto:gffletch@aol.com>> a écrit : > > Goals: > > 1. Help the client not send a token to the "wrong" endpoint > a. wrong AS /token endpoint > b. evil RS endpoint(s) > 2. Allow good RS to determine if the token being validated was > intended > for that RS > > Other high-level goals? > > Use cases: > > 1. RS that supports multiple AS (we've had this in production > since 2011) > 2. RS rejects token not issued for use at the RS > 3. Client that dynamically supports new RS (say any client that > supports > the jabber API) > 4. Client that dynamically supports new AS > > Feel free to add to the list :) > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Use cases for Audience Restricted toke… George Fletcher
- Re: [OAUTH-WG] Use cases for Audience Restricted … Thomas Broyer
- Re: [OAUTH-WG] Use cases for Audience Restricted … George Fletcher
- Re: [OAUTH-WG] Use cases for Audience Restricted … Justin Richer
- Re: [OAUTH-WG] Use cases for Audience Restricted … Thomas Broyer
- Re: [OAUTH-WG] Use cases for Audience Restricted … George Fletcher
- Re: [OAUTH-WG] Use cases for Audience Restricted … Brian Campbell
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt (IDM)
- Re: [OAUTH-WG] Use cases for Audience Restricted … Brian Campbell
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley