Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
Bill Mills <wmills_92105@yahoo.com> Tue, 29 July 2014 18:11 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6F361B2A0D for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 11:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1elZV68e_g3Q for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 11:11:34 -0700 (PDT)
Received: from nm32-vm1.bullet.mail.bf1.yahoo.com (nm32-vm1.bullet.mail.bf1.yahoo.com [72.30.239.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E09F1A04BA for <oauth@ietf.org>; Tue, 29 Jul 2014 11:11:29 -0700 (PDT)
Received: from [66.196.81.172] by nm32.bullet.mail.bf1.yahoo.com with NNFMP; 29 Jul 2014 18:11:28 -0000
Received: from [98.139.212.201] by tm18.bullet.mail.bf1.yahoo.com with NNFMP; 29 Jul 2014 18:11:28 -0000
Received: from [127.0.0.1] by omp1010.mail.bf1.yahoo.com with NNFMP; 29 Jul 2014 18:11:28 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 636008.25051.bm@omp1010.mail.bf1.yahoo.com
Received: (qmail 28599 invoked by uid 60001); 29 Jul 2014 18:11:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1406657488; bh=Q4MZH4wVJUyY5oB1CmAh8b4TYnMcMB4HlD98TdSgmeA=; h=References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=dW1QwfRUEzMVM3ZxPqbKODYr/M3mk2Kx8vFWZGWx9jcsSIQ+in6NDoq4U6ydXr5Iab53yRDNxuPnPL6qyOIASIvlQb0RG38TyAXU+anEKLcFDiWMYj54Z4c5DCADNb0K6Oh781QS1QzUX/NphaQZoJ35qWWbZheXWPMQTyO7A7U=
X-YMail-OSG: wGxpmaYVM1n3NpmG1wb7u8P40KHm71jAjoLPp6mAt67k_4F Sej8IAbuGvqPtuIvPBBrNFK69ktzTQL8eOc3TnC52uy8Dqbc8VP.G.6iVmnw 2TPD2Kyh7ZGCRcTMCmcfwG08fj6s4NASqc3s0qRzY2r3k8_4Air4W_SQ4jUA Wy67d7r2iqgnUbwd500F_Bu.W33fJVM_8FrFYD6yvjwJdAnZhsyLEmykej9A FAtTGG9xRMxE6A.Iyzbogiph6vkm6IAcf7lek_pGTlA3l3Ni5qq3v0wvT1lT Ywx7Jw2RQwIvkv24LSWB.CIcY9Y0vUL0gd7cldMuLRLBhWvsLFuK8VN5GKO7 sSjQr21zNmx9Clin38e6ZU48SF3nBA2_0Yfette7z3uc38XQUduF4yFPbCyd FKl.1BF7OOFQ3skjlwSb1L1dALaPGBF04UO1_Pf3qheFXkwLD13Cm_mU71vv v3JCmA2hnbVGKFt1njidDzi_eBhcBh2GSbdN5Kyxq.Alek2UZBk5NHkLLCHV 2XuE2V4HKCOqVK2D5iTy2RE.FMSYV3oW8Tovt5yKuWu0vxGnaw4sPLF2vS3J pYn2zpjtRjy5N6NBF8I4igSA.GPsme5gRHaOQ11qfRgL7SheqwP5TNCPPEia .QM3lzDJZiU6RPKSoqtU2salkI2Ae4jBBBTGK6j_7ToQmqR_F3VdErS.9qAH CcleMzQwsVsbhyHTPm7oQwWOYGSkW08dYrDIfnRuJBAXHp6Fo30_rXUyXuRs yx6QiP0cjiaTxsV.sKhmRhmQTEaZBr2bZwGZsbcTKuZKFG7S8G4h2.jUkZxg tUr35JL4bq5Jbjxvuo2O2fn6Iao8zJnR.bC44x4i9G8mvPFhsl8lC8Y_jO0k v0Y0qSG4dzDJI9hcGC_JTgEY2lUd1SlVaFP1rlWgoOpLvCo1FrxEI.duT9g8 yQJgDvHW3dtia_GQPBjYZYZ5duOJ.cQ--
Received: from [167.220.24.190] by web142801.mail.bf1.yahoo.com via HTTP; Tue, 29 Jul 2014 11:11:28 PDT
X-Rocket-MIMEInfo: 002.001, VGhpcyBpcyBleGFjdGx5IHRoZSBzYW1lIHByb2JsZW0gc3BhY2UgYXMgd2ViZmluZ2VyLCB5b3Ugd2FudCB0byBrbm93IHNvbWV0aGluZyBhYm91dCBhIHVzZXIgYW5kIHRoZXJlJ3MgYSB1c2VmdWwgc2V0IG9mIGluZm9ybWF0aW9uIHlvdSBtaWdodCByZWFzb25hYmx5IHF1ZXJ5LCBidXQgaW4gdGhlIGVuZCB0aGUgc2VydmVyIG1heSBoYXZlIGl0J3Mgb3duIHNjaGVtYSBvZiBkYXRhIGl0IHJldHVybnMuIMKgVGhlcmUgd29uJ3QgYmUgYSBzaW5nbGUgc2NoZW1hIHRoYXQgZml0cyBhbGwgdXNlIGNhc2VzLCABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.196.685
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D6ED5A.10500@mit.edu> <33F1EE39-2BDF-4F3D-B4DD-4AB9848BC4BF@oracle.com> <F9F7D2A9-6E70-47BA-9AF6-8EB799EB28F7@gmail.com>
Message-ID: <1406657488.80350.YahooMailNeo@web142801.mail.bf1.yahoo.com>
Date: Tue, 29 Jul 2014 11:11:28 -0700
From: Bill Mills <wmills_92105@yahoo.com>
To: Paul Madsen <paul.madsen@gmail.com>, Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <F9F7D2A9-6E70-47BA-9AF6-8EB799EB28F7@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="469468616-14357203-1406657488=:80350"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/KnQVu43z2NAoEcyjtJS3w8QXGiA
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 18:11:43 -0000
This is exactly the same problem space as webfinger, you want to know something about a user and there's a useful set of information you might reasonably query, but in the end the server may have it's own schema of data it returns. There won't be a single schema that fits all use cases, Any given RS/AS ecosystem may decide they have custom stuff and omit other stuff. I think the more rigid the MTI schema gets the harder the battle in this case. On Tuesday, July 29, 2014 2:56 AM, Paul Madsen <paul.madsen@gmail.com> wrote: Standardized Introspection will be valuable in NAPPS, where the AS and RS may be in different policy domains. Even for single policy domains, there are enterprise scenarios where the RS is from a different vendor than the AS, such as when an API gateway validates tokens issued by an 'IdP' . We've necessarily defined our own introspection endpoint and our gateway partners have implemented it, (at the instruction of the customer in question). But of course it's proprietary to us. Paul On Jul 28, 2014, at 8:59 PM, Phil Hunt <phil.hunt@oracle.com> wrote: That doesn’t explain the need for inter-operability. What you’ve described is what will be common practice. > > >It’s a great open source technique, but that’s not a standard. > > >JWT is much different. JWT is a foundational specification that describes the construction and parsing of JSON based tokens. There is inter-op with token formats that build on top and there is inter-op between every communicating party. > > >In OAuth, a site may never implement token introspection nor may it do it the way you describe. Why would that be a problem? Why should the group spend time on something where there may be no inter-op need. > > >Now that said, if you are in the UMA community. Inter-op is quite foundational. It is very very important. But then maybe the spec should be defined within UMA? > > >Phil > > >@independentid >www.independentid.comphil.hunt@oracle.com > > > > >On Jul 28, 2014, at 5:39 PM, Justin Richer <jricher@MIT.EDU> wrote: > >It's analogous to JWT in many ways: when you've got the AS and the RS separated somehow (different box, different domain, even different software vendor) and you need to communicate a set of information about the approval delegation from the AS (who has the context to know about it) through to the RS (who needs to know about it to make the authorization call). JWT gives us an interoperable way to do this by passing values inside the token itself, introspection gives a way to pass the values by reference via the token as an artifact. The two are complementary, and there are even cases where you'd want to deploy them together. >> >> -- Justin >> >>On 7/28/2014 8:11 PM, Phil Hunt wrote: >> >>Could we have some discussion on the interop cases? >>> >>> >>>Is it driven by scenarios where AS and resource are separate domains? Or may this be only of interest to specific protocols like UMA? >>> >>> >>>From a technique principle, the draft is important and sound. I am just not there yet on the reasons for an interoperable standard. >>> >>> >>>Phil >>> >>>On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote: >>> >>> >>>Yes. This spec is of special interest to the platform we're building for http://www.oasis-eu.org/ >>>> >>>> >>>> >>>>On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >>>> >>>>Hi all, >>>>> >>>>>during the IETF #90 OAuth WG meeting, there was strong consensus in >>>>>adopting the "OAuth Token Introspection" >>>>>(draft-richer-oauth-introspection-06.txt) specification as an OAuth WG >>>>>work item. >>>>> >>>>>We would now like to verify the outcome of this call for adoption on the >>>>>OAuth WG mailing list. Here is the link to the document: >>>>>http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/ >>>>> >>>>>If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion >>>>>as to the suitability of adopting this document as a WG work item, >>>>>please send mail to the OAuth WG list indicating your opinion (Yes/No). >>>>> >>>>>The confirmation call for adoption will last until August 10, 2014. If >>>>>you have issues/edits/comments on the document, please send these >>>>>comments along to the list in your response to this Call for Adoption. >>>>> >>>>>Ciao >>>>>Hannes & Derek >>>>> >>>>> >>>>>_______________________________________________ >>>>>OAuth mailing list >>>>>OAuth@ietf.org >>>>>https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>>Thomas Broyer >>>>/tɔ.ma.bʁwa.je/ >>>_______________________________________________ >>>>OAuth mailing list >>>>OAuth@ietf.org >>>>https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >>>_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >>OAuth mailing list >>OAuth@ietf.org >>https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Confirmation: Call for Adoption of "OA… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mark Dobrinic
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Paul Madsen
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell