IETF Logo Mail Archive

Re: [OAUTH-WG] Simpilfying use of assertions when requesting an access token

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 10 September 2010 14:59 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B6703A68D8 for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 07:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.487
X-Spam-Level:
X-Spam-Status: No, score=-2.487 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8M+tlCrlL6K for <oauth@core3.amsl.com>; Fri, 10 Sep 2010 07:59:27 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 7EF243A67EF for <oauth@ietf.org>; Fri, 10 Sep 2010 07:59:27 -0700 (PDT)
Received: (qmail 26813 invoked from network); 10 Sep 2010 14:59:54 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Sep 2010 14:59:54 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 10 Sep 2010 07:59:52 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: David Waite <david@alkaline-solutions.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Fri, 10 Sep 2010 07:59:47 -0700
Thread-Topic: [OAUTH-WG] Simpilfying use of assertions when requesting an access token
Thread-Index: ActQuwK24Dkx29uzSim+8+bnMFNWPQAPXkdg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3F3F06F6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3F35BE13@P3PW5EX1MB01.EX1.SECURESERVER.NET> <20D537B5-432F-422D-B415-63276C2970CA@alkaline-solutions.com>
In-Reply-To: <20D537B5-432F-422D-B415-63276C2970CA@alkaline-solutions.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Simpilfying use of assertions when requesting an access token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2010 14:59:28 -0000

While making the spec somewhat shorter, it doesn't make it more readable or easier to implement. Getting rid of the assertion grant type and sub type parameter makes that part simpler and makes extensions more intuitive. I have looked into most abstraction ideas and have rules most of them out because they hurt the readability of the spec, even if they make it more consistent.

In -11 I am moving half way back to separate profiles for each flow.

EHL

> -----Original Message-----
> From: David Waite [mailto:david@alkaline-solutions.com]
> Sent: Friday, September 10, 2010 12:37 AM
> To: OAuth WG (oauth@ietf.org)
> Cc: Eran Hammer-Lahav
> Subject: Re: [OAUTH-WG] Simpilfying use of assertions when requesting an
> access token
> 
> I think combining the grant_type and assertion_type together is a great idea.
> However, I have recently been wondering if it would be a good idea to unify
> all the access grants to use the same parameters.
> 
> For instance, you could have the parameters:
> 
> 	grant_type - the type of access grant (of course)
> 	grant_qualifier - an identifier or URI associated with the grant
> 	grant_value - the data (such as an opaque or secret value) used for a
> particular type of access grant
> 
> So for the grant types mentioned below, you would have:
> 
> 	password:
> 		a grant_qualifier of the user identifier, and a grant_value of
> their password
> 
> 	client_credentials:
> 		a grant_qualifier of the client identifier, and a grant_value of
> the shared secret
> 
> 	refresh_token:
> 		no grant_qualifier, a grant_value of the refresh token
> 
> 	authorization_code:
> 		a grant_qualifier of the callback URI used to return the
> authorization code to the client, and a grant_value of the actual code
> 
> 	<SAML assertion extension URI>:
> 		no grant_qualifier, a grant_value of the assertion as a string
> 
> This would seem to have the following benefits:
> 	- A number of query parameters defined to be used only in cases of a
> particular grant_type value would be eliminated
> 	- The qualifier/value would provide a guideline for structuring new
> grant types
> 	- The "grant_" prefix for the parameters could provide a logical
> grouping for any additional parameters, if a new grant type required more
> than the qualifier/value pair above.
> 
> I must admit however, I had difficulty figuring out how to phrase 'qualifier' so
> that it would apply to a callback URI. I think it makes sense in that an
> authorization code is issued against and only valid for a specific callback URI,
> but would understand if this came off feeling like overloading that
> parameter.
> 
> -David Waite
> 
> On Sep 2, 2010, at 3:11 PM, Eran Hammer-Lahav wrote:
> 
> > I would like to make this change in -11:
> >
> > Instead of the current user of the 'assertion' grant type -
> >
> >   POST /token HTTP/1.1
> >   Host: server.example.com
> >   Content-Type: application/x-www-form-urlencoded
> >
> >   grant_type=assertion&
> >
> assertion_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertio
> n&
> >   assertion=PHNhbWxwOl[...omitted for brevity...]ZT4%3D
> >
> > Drop the 'assertion' grant type and put the assertion type directly in the
> grant_type parameter:
> >
> >   POST /token HTTP/1.1
> >   Host: server.example.com
> >   Content-Type: application/x-www-form-urlencoded
> >
> >
> grant_type=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion&
> >   assertion=PHNhbWxwOl[...omitted for brevity...]ZT4%3D
> >
> > In other words, the grant_type parameter value will be defined as:
> >
> > -          authorization_code
> > -          password
> > -          client_credentials
> > -          refresh_token
> > -          an abolute URI (extensions)
> >
> > I considered turning all the values into URIs but found it to be counter-
> intuitive. The practice of using "official" short names and extension URIs is
> well established and is already the general architecture used here. This just
> makes it cleaner.
> >
> > I ran this idea by Brian Campbell and Chuck Mortimore who are generally
> supportive of the idea.
> >
> > Any objections?
> >
> > EHL
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email