Re: [OAUTH-WG] Question about usage of OAuth between servers

John Bradley <ve7jtb@ve7jtb.com> Fri, 03 July 2015 01:44 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F0AA1AD371 for <oauth@ietfa.amsl.com>; Thu, 2 Jul 2015 18:44:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_mdx9URHYFL for <oauth@ietfa.amsl.com>; Thu, 2 Jul 2015 18:44:21 -0700 (PDT)
Received: from mail-qg0-f46.google.com (mail-qg0-f46.google.com [209.85.192.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6409B1AD36F for <oauth@ietf.org>; Thu, 2 Jul 2015 18:44:21 -0700 (PDT)
Received: by qgat90 with SMTP id t90so22100840qga.0 for <oauth@ietf.org>; Thu, 02 Jul 2015 18:44:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=BNY5XT9RfD1GrkMVwJppM0H6Izrd6ngJ6O/z2V9qF/8=; b=TaS1q99xXdMFLPj3+w1hPmqi+nZqPhfce7E9TSPKppnaKBYpcw1bWLww7RbCXdFGlx +PUg+oiC9MT/B3B04Bd1W87AIRq2dYslEISgJa+lsoC4hC2cfHqhmf9dwW47NZ8aLiYw umgBq18Un1ovquuTWCVMQMBBiVIlzPGC74tFs3qrWpbr8PxgzaepioevRnUjoivJzBVE gfNHvqmnjokKkrhlbABTOrWOM+bE9REMNmWIzLvJwgHuartjwledEkecYgXxCVr9ak4k /NHFeULBq2fzbZ09GJ9JBUU6KAfVmvXGEBuuyK9ZCS+eUHSd3DUUe/yXIA4Jg6Bp8R/X vJeg==
X-Gm-Message-State: ALoCoQkxeqTRAP75vwogNF3hxgnxTgMJ8/wKycpBxRFFI3g4uKUf0qdsarxg02bkuWcQjUwXiZVt
X-Received: by 10.140.99.65 with SMTP id p59mr47462840qge.46.1435887860297; Thu, 02 Jul 2015 18:44:20 -0700 (PDT)
Received: from [192.168.1.216] (181-163-55-223.baf.movistar.cl. [181.163.55.223]) by mx.google.com with ESMTPSA id 70sm3673633qhe.12.2015.07.02.18.44.17 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 Jul 2015 18:44:19 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_616CED9A-EB18-4509-B4B9-49D61EB17123"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAOahYUzDhygTdan6cH3iu5vCZ97oWOmULoRcgtGdtCobHHYg8A@mail.gmail.com>
Date: Thu, 2 Jul 2015 22:19:03 -0300
Message-Id: <2A451AC4-6414-4318-B188-C944E205C7E1@ve7jtb.com>
References: <47E83806AE926749BB17D1020685E6901903F0CC5F@APJ1XCHEVSPIN36.SYMC.SYMANTEC.COM> <CAOahYUzDhygTdan6cH3iu5vCZ97oWOmULoRcgtGdtCobHHYg8A@mail.gmail.com>
To: Adam Lewis <adam.lewis@motorolasolutions.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JPWjySTLuvt4isyoFHJ-lDq4xzw>
Cc: Lisa Li1 <Lisa_Li1@symantec.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Question about usage of OAuth between servers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2015 01:44:24 -0000

+1 
JB.

> On Jul 2, 2015, at 1:33 PM, Adam Lewis <adam.lewis@motorolasolutions.com> wrote:
> 
> Hi Lisa,
> 
> Form the perspective of OAuth, there is ALWAYS a client (even if it is running on a server).  Of your two servers, one is exposing an API (so this will be your RS), and the other server is a client of that API, so that will be your Client.  So it is still a client-server communication.  
> 
> So it's a question then if whether or not the server (acting as an API client) is accessing the other server's API on it's own behalf or on behalf of an end user, and if acting on behalf of an end user, then how does the end user interact with the server (acting as the API client)?
> 
> If the server acting as an API client is acting on its own behalf, then you want the client credential grant type (or possible a SAML or JWT assertion).
> If the server acting as an API client is acting on behalf of an end user and the end user is coming in through a browser, then you want the authorization code grant type.
> If the server acting as an API client is acting on behalf of an end user and the end user directly signs onto the server, then you might be stuck using the RO password grant type.
> 
> authorization code and RO grant types give you a refresh token that you can use to refresh the access token.  In the case of client credentials, the client stores a long term PSK or has a public private key pair used to request access tokens, so it will directly communicate with the token endpoint using those to get new access tokens.
> 
> Does that make sense?
> adam
> 
> On Mon, Jun 29, 2015 at 9:18 PM, Lisa Li1 <Lisa_Li1@symantec.com <mailto:Lisa_Li1@symantec.com>> wrote:
> Hi All
> 
>  
> 
> This is Lisa.
> 
> Our project is adopting OAuth 2 as authentication specification.
> 
> For the client-server communication, OAuth token works fine. But we have some cases of server to server communication, usually it will be multiple tasks running in parallel or sequence or even in multiple threads. In this case, we are not sure we should reuse the access token grant by end user or create another token? Moreover, if token is expired in 30 min, we are able to do refresh but may meet some issue on the token consistency between each task, thus it might be refreshed again and again…
> 
>  
> 
> But with OAuth 1.0, since it will not expired and we don’t have to do refresh, it will work fine.
> 
>  
> 
> So for OAuth 2.0, what’s your consideration for server to server communication scenario? Or do you have any suggestion here?
> 
>  
> 
> Thanks.
> 
>  
> 
>  
> 
> Lisa Li
> 
> Principal Software Engineer
> 
> Symantec Corporation
> 
>  
> 
> Office: (010) 6272 5127  /  Mobile: 189 1057 2219
> 
> Lisa_Li1@symantec.com <mailto:Lisa_Li1@symantec.com>
>  
> 
> <image002.png>
> 
>  
> 
>  
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
> 
>  
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth