[OAUTH-WG] SSO scenario
Justin Karneges <justin@affinix.com> Fri, 26 August 2011 23:03 UTC
Return-Path: <justin@affinix.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F280A21F8B7D for <oauth@ietfa.amsl.com>; Fri, 26 Aug 2011 16:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y+p+9bU675xD for <oauth@ietfa.amsl.com>; Fri, 26 Aug 2011 16:03:41 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id 438FE21F8B0B for <oauth@ietf.org>; Fri, 26 Aug 2011 16:03:41 -0700 (PDT)
Received: from homiemail-a38.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTP id 90F5110AFB1 for <oauth@ietf.org>; Fri, 26 Aug 2011 16:04:58 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=affinix.com; h=from:to:subject :date:mime-version:content-type:content-transfer-encoding: message-id; q=dns; s=affinix.com; b=rTHrX/y6ijzllZ+Vi/j8YpkNdR9k DwaPbDR3CVOxs/SxsfhThKM57wcnaj8nE+qOBBufsjHAwcJhhNjK4uI7jYRQV2t9 Rywts5nY0PSTBEIbTNFG3Sk6gfpArUUaLCvQoPZtD5cZ5xjzCK+kP/tYs1WnUMLJ Oiu+MEe4PiW+FF8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=affinix.com; h=from:to :subject:date:mime-version:content-type :content-transfer-encoding:message-id; s=affinix.com; bh=gVchGwH mjQMczHNb4nUKupfajV4=; b=g+Qcm1cOThMFBrmcmw8l7bpXfnfbJ8MyFT4SvwW k8NPqsZlEZLTHbuWjt3ot3ypDZx4ZSbg3D3nmamVTkS76DPxYDDhNI9UNDTHRKAL +Q1Bk//GUigeUb8u5tTw4HBSM0blMoxNuZ6Q2PPuk/iFxbsL6VkNRemu3WqtCJRN p+1E=
Received: from purelace.localnet (andross.dreamhost.com [75.119.221.126]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: justin@affinix.com) by homiemail-a38.g.dreamhost.com (Postfix) with ESMTPSA id 742AD10AFAD for <oauth@ietf.org>; Fri, 26 Aug 2011 16:04:58 -0700 (PDT)
From: Justin Karneges <justin@affinix.com>
To: oauth@ietf.org
Date: Fri, 26 Aug 2011 16:04:57 -0700
User-Agent: KMail/1.13.6 (Linux/2.6.38-11-generic; KDE/4.6.2; x86_64; ; )
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201108261604.57643.justin@affinix.com>
Subject: [OAUTH-WG] SSO scenario
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2011 23:03:42 -0000
Hi folks, I currently use a proprietary token approach to provide authentication to a browser widget, and I wonder if OAuth could be used to replace it. Here's how the system currently works: - website supports authenticated users (happens via username/password form) - website and widget provider have a shared secret - the website serves a page to the browser, containing an embed of a remote widget as well as a token that asserts the currently logged in user. the widget takes this token and performs an ajax call to the widget provider server. behold, the user is now logged in to the widget. In trying to organize this into OAuth terms and roles, here is what I come up with: - resource owner: the user - resource server: widget provider (where the resource is generically "the ability to utilize the widget") - client: the webpage running in the browser - authorization server: the website The website essentially serves up the client application and token in one shot, so the client never has to explicitly ask for a token. However, the client would then take that token and use it to access a service. The website and widget provider would share key material such that token validation is possible, but it's important to note that the two services are not owned and operated by the same people. Does this seem right? Normally when I think of OAuth, I think of a user giving a third-party service access to his personal stuff, but in the above flow I'm proposing that OAuth be used so that the user gains access to his own stuff. In fact, there would be no way to access his stuff other than this approach, so it's not just about optional third-party access. It's the direct and only access. Would love confirmation that OAuth is appropriate for my needs, and if I have the roles right in that case. Thanks, Justin
- [OAUTH-WG] SSO scenario Justin Karneges
- Re: [OAUTH-WG] SSO scenario Peter Saint-Andre
- Re: [OAUTH-WG] SSO scenario Justin Richer
- Re: [OAUTH-WG] SSO scenario Justin Karneges
- Re: [OAUTH-WG] SSO scenario George Fletcher
- Re: [OAUTH-WG] SSO scenario Justin Karneges
- Re: [OAUTH-WG] SSO scenario Brian Campbell
- Re: [OAUTH-WG] SSO scenario John Bradley
- Re: [OAUTH-WG] SSO scenario Justin Karneges
- Re: [OAUTH-WG] SSO scenario Justin Richer