Re: [OAUTH-WG] JWT binding for OAuth 2.0

Hi Prabath,

the reason we have documents that describe the transport of bearer
tokens/proof-of-possession tokens over the different transports is a
task is more than just conveying a JWT over some protocol.

There are various documents that specify the transport of OAuth access
tokens over some protocol:

* Bearer Tokens over HTTPS:
https://tools.ietf.org/html/rfc6750

* Proof-of-Possession Tokens over TURN
http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13

* Bearer Tokens over SASL:
https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19

* Bearer Tokens over CoAP:
https://tools.ietf.org/html/draft-tschofenig-ace-oauth-bt-01

* OAuth over SIP:
https://tools.ietf.org/html/draft-yusef-sipcore-sip-oauth-02

* Then, there is all the work on proof-of-possession tokens that
requires thoughts on how to tie the access token to the request (see
http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01 or
token binding at https://tools.ietf.org/html/draft-ietf-tokbind-protocol-00)

If you look at these documents then you will see that the
characteristics of the underlying protocol matter a lot from a security
point of view. There are also encoding and discovery related aspects
that need to be taken into account as well.

If someone wants to figure out how to carry OAuth access tokens over
MQTT then they will have to figure out whether there are some additional
considerations to take into account.

What we should probably doing in this group is to write a guidance
document for using OAuth over <<foo>>.

Ciao
Hannes

On 04/15/2015 12:02 AM, Prabath Siriwardena wrote:
> It can be a JSON payload over JMS or even MQTT.. 
> 
> I have seen some effort to create an MQTT binding for OAuth 2.0 - but
> then again for each transport we need to have a binding..
> 
> But - creating a message level binding would be much better IMHO..
> 
> Thanks & regards,
> -Prabath
> 
> On Tue, Apr 14, 2015 at 2:55 PM, John Bradley <ve7jtb@ve7jtb.com
> <mailto:ve7jtb@ve7jtb.com>> wrote:
> 
>     Most of the pub sub things I have seen use HTTP transport.  Do you
>     have a pointer to the protocol?
> 
>>     On Apr 14, 2015, at 6:48 PM, Prabath Siriwardena <prabath@wso2.com
>>     <mailto:prabath@wso2.com>> wrote:
>>
>>     Thanks John for the pointer - will have look..
>>
>>     I am looking this for a pub/sub scenario..  Having JWT binding
>>     would benefit that..
>>
>>     Also - why I want access token to be inside a JWT is - when we
>>     send a JSON payload in this case, we already have the JWT envelope
>>     and the access token needs to be carried inside..
>>
>>     Thanks & regards,
>>     -Prabath
>>
>>
>>
>>
>>
>>     On Tue, Apr 14, 2015 at 2:41 PM, John Bradley <ve7jtb@ve7jtb.com
>>     <mailto:ve7jtb@ve7jtb.com>> wrote:
>>
>>         There is a OAuth binding to
>>         SASL https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19
>>
>>         Google supports it for IMAP/SMTP,  I think the latest iOS and
>>         OSX mail client updates use it rather than passwords for Google.
>>         I also noticed Outlook on Android using it.
>>
>>         The access token might be a signed or encrypted JWT itself.  I
>>         don’t know that wrapping it again necessarily helps.
>>
>>         Yes we should have bindings to other non http protocols.  
>>
>>         Is there something specific that you are looking for that is
>>         not covered by SASL?
>>
>>         John B.
>>
>>
>>
>>>         On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena
>>>         <prabath@wso2.com <mailto:prabath@wso2.com>> wrote:
>>>
>>>         At the moment we only HTTP binding to transport the access
>>>         token (please correct me if not)..
>>>
>>>         This creates a dependency on the transport.
>>>
>>>         How about creating a JWT binding for OAuth 2.0..? We can
>>>         transport the access token as an encrypted JWT header
>>>         parameter..?
>>>
>>>
>>>         Thanks & Regards,
>>>         Prabath
>>>
>>>         Twitter : @prabath
>>>         LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>>
>>>         Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950>
>>>
>>>         http://blog.facilelogin.com <http://blog.facilelogin.com/>
>>>         http://blog.api-security.org <http://blog.api-security.org/>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>     -- 
>>     Thanks & Regards,
>>     Prabath
>>
>>     Twitter : @prabath
>>     LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
>>
>>     Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950>
>>
>>     http://blog.facilelogin.com <http://blog.facilelogin.com/>
>>     http://blog.api-security.org <http://blog.api-security.org/>
> 
> 
> 
> 
> -- 
> Thanks & Regards,
> Prabath
> 
> Twitter : @prabath
> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> 
> Mobile : +1 650 625 7950
> 
> http://blog.facilelogin.com
> http://blog.api-security.org
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 

Re: [OAUTH-WG] JWT binding for OAuth 2.0

Attachment: signature.asc