Re: [OAUTH-WG] JWT binding for OAuth 2.0
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 15 April 2015 08:16 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3455B1B32D4 for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2015 01:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gp-2LzjP-oQu for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2015 01:16:38 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D1D1AD0CB for <oauth@ietf.org>; Wed, 15 Apr 2015 01:16:37 -0700 (PDT)
Received: from [192.168.10.182] ([80.255.245.230]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LvPgd-1ZQG8H3ZpL-010Z0D; Wed, 15 Apr 2015 10:16:34 +0200
Message-ID: <552E1E60.8010602@gmx.net>
Date: Wed, 15 Apr 2015 10:16:32 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Prabath Siriwardena <prabath@wso2.com>, John Bradley <ve7jtb@ve7jtb.com>
References: <CAJV9qO-PsiNOdfBAf9k0VJ7+eGkE_g_gbygdCbGMv2UT56Ld=g@mail.gmail.com> <A0FFB94C-1EDB-41B9-B1E2-6943B078145F@ve7jtb.com> <CAJV9qO8KJk07Hs7X0tE2UKxeQNA3XaQO2uOF5xfVz0eDd8RgrA@mail.gmail.com> <422C5670-7D2D-4E1C-9E06-74CCB9054260@ve7jtb.com> <CAJV9qO-u8dRB9Rs5Le2GyiVa+eS7U_3_mAAn=5qZz7HQLL=qdw@mail.gmail.com>
In-Reply-To: <CAJV9qO-u8dRB9Rs5Le2GyiVa+eS7U_3_mAAn=5qZz7HQLL=qdw@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="TkjX8OBhvvRkU4fn4gMCfFRVhuqx4vXAh"
X-Provags-ID: V03:K0:sAyFWWyfRAfrfVHwGl+FUpjUuZsBKZva3Rf/ZLvj066X6wYSTjI 8qJ9+fb0M9rhTezHliJISi/MoH9v0COg8Rv2ia45gugtJn/cTXsIpU8CfKVzHT2xp5lo9s1 wu/Jo1lCzJ6SSZAXvIxz1T2GKeOFguns9f1m5SM4b5ldw2vb/LqSR4ZJxVFUkIrIGXjSUvo wdv0KboXpmxdTEqctePew==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/L7PZRelNnKySBxDY1wy2qY5eQQo>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 08:16:41 -0000
Hi Prabath, the reason we have documents that describe the transport of bearer tokens/proof-of-possession tokens over the different transports is a task is more than just conveying a JWT over some protocol. There are various documents that specify the transport of OAuth access tokens over some protocol: * Bearer Tokens over HTTPS: https://tools.ietf.org/html/rfc6750 * Proof-of-Possession Tokens over TURN http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13 * Bearer Tokens over SASL: https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19 * Bearer Tokens over CoAP: https://tools.ietf.org/html/draft-tschofenig-ace-oauth-bt-01 * OAuth over SIP: https://tools.ietf.org/html/draft-yusef-sipcore-sip-oauth-02 * Then, there is all the work on proof-of-possession tokens that requires thoughts on how to tie the access token to the request (see http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01 or token binding at https://tools.ietf.org/html/draft-ietf-tokbind-protocol-00) If you look at these documents then you will see that the characteristics of the underlying protocol matter a lot from a security point of view. There are also encoding and discovery related aspects that need to be taken into account as well. If someone wants to figure out how to carry OAuth access tokens over MQTT then they will have to figure out whether there are some additional considerations to take into account. What we should probably doing in this group is to write a guidance document for using OAuth over <<foo>>. Ciao Hannes On 04/15/2015 12:02 AM, Prabath Siriwardena wrote: > It can be a JSON payload over JMS or even MQTT.. > > I have seen some effort to create an MQTT binding for OAuth 2.0 - but > then again for each transport we need to have a binding.. > > But - creating a message level binding would be much better IMHO.. > > Thanks & regards, > -Prabath > > On Tue, Apr 14, 2015 at 2:55 PM, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > Most of the pub sub things I have seen use HTTP transport. Do you > have a pointer to the protocol? > >> On Apr 14, 2015, at 6:48 PM, Prabath Siriwardena <prabath@wso2.com >> <mailto:prabath@wso2.com>> wrote: >> >> Thanks John for the pointer - will have look.. >> >> I am looking this for a pub/sub scenario.. Having JWT binding >> would benefit that.. >> >> Also - why I want access token to be inside a JWT is - when we >> send a JSON payload in this case, we already have the JWT envelope >> and the access token needs to be carried inside.. >> >> Thanks & regards, >> -Prabath >> >> >> >> >> >> On Tue, Apr 14, 2015 at 2:41 PM, John Bradley <ve7jtb@ve7jtb.com >> <mailto:ve7jtb@ve7jtb.com>> wrote: >> >> There is a OAuth binding to >> SASL https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19 >> >> Google supports it for IMAP/SMTP, I think the latest iOS and >> OSX mail client updates use it rather than passwords for Google. >> I also noticed Outlook on Android using it. >> >> The access token might be a signed or encrypted JWT itself. I >> don’t know that wrapping it again necessarily helps. >> >> Yes we should have bindings to other non http protocols. >> >> Is there something specific that you are looking for that is >> not covered by SASL? >> >> John B. >> >> >> >>> On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena >>> <prabath@wso2.com <mailto:prabath@wso2.com>> wrote: >>> >>> At the moment we only HTTP binding to transport the access >>> token (please correct me if not).. >>> >>> This creates a dependency on the transport. >>> >>> How about creating a JWT binding for OAuth 2.0..? We can >>> transport the access token as an encrypted JWT header >>> parameter..? >>> >>> >>> Thanks & Regards, >>> Prabath >>> >>> Twitter : @prabath >>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>> >>> Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950> >>> >>> http://blog.facilelogin.com <http://blog.facilelogin.com/> >>> http://blog.api-security.org <http://blog.api-security.org/> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950> >> >> http://blog.facilelogin.com <http://blog.facilelogin.com/> >> http://blog.api-security.org <http://blog.api-security.org/> > > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Bill Mills
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena