Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Anthony Nadalin <tonynad@microsoft.com> Wed, 30 July 2014 14:33 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 972151A00FC for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 07:33:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NyD8RgmZVPG for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 07:33:04 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0187.outbound.protection.outlook.com [207.46.163.187]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DBAE1A00DF for <oauth@ietf.org>; Wed, 30 Jul 2014 07:32:58 -0700 (PDT)
Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) with Microsoft SMTP Server (TLS) id 15.0.995.11; Wed, 30 Jul 2014 14:32:55 +0000
Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0995.011; Wed, 30 Jul 2014 14:32:55 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Sergey Beryozkin <sberyozkin@gmail.com>
Thread-Topic: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
Thread-Index: AQHPqooP8wIKNi1N/E+X2zjP/3sagZu2KzcAgAAC6YCAAXSXAIAAHzgAgAAKF4CAAACigIAAcsMAgABCDQCAAAKLAIAAAncAgAABgwCAACWpAIAAA5MY
Date: Wed, 30 Jul 2014 14:32:55 +0000
Message-ID: <0b4a995ea28e40bc87fd4deab0e7dc8b@BLUPR03MB309.namprd03.prod.outlook.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com> <53D841D3.6020505@mit.edu> <311A2204-E968-4657-BD27-58DCD072542A@oracle.com> <53D8A2A0.5040205@gmail.com> <9AF95517-3415-4A3C-A2FB-3BBDFC49E218@ve7jtb.com> <53D8DC2A.6030503@gmail.com> <7189BB03-0962-4B62-A82B-052E70B0A7DF@ve7jtb.com> <53D8DF80.4010301@gmail.com>, <9F7C6EC9-065E-4901-B6A3-A00875675439@ve7jtb.com>
In-Reply-To: <9F7C6EC9-065E-4901-B6A3-A00875675439@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [166.137.122.135]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 0288CD37D9
x-forefront-antispam-report: SFV:NSPM; SFS:(24454002)(189002)(479174003)(51704005)(377454003)(199002)(51914003)(164054003)(53754006)(19625215002)(83072002)(74502001)(76482001)(2656002)(46102001)(76176999)(21056001)(33646002)(54356999)(86612001)(87936001)(74316001)(16236675004)(93886003)(86362001)(4396001)(50986999)(15202345003)(15975445006)(19580405001)(92566001)(74662001)(101416001)(31966008)(81542001)(107046002)(80022001)(81342001)(106116001)(105586002)(106356001)(85852003)(85306003)(95666004)(20776003)(79102001)(66066001)(19580395003)(99396002)(76576001)(83322001)(64706001)(77982001)(19617315012)(99286002)(108616002)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB309; H:BLUPR03MB309.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_0b4a995ea28e40bc87fd4deab0e7dc8bBLUPR03MB309namprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/LVAx4JpA3TLDJD2vlqz0kywZnkg
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 14:33:10 -0000

John this is for the people that did not hum  at the face to face and not just for the people not  at the face to face.

Sent from my Windows Phone
________________________________
From: John Bradley<mailto:ve7jtb@ve7jtb.com>
Sent: ‎7/‎30/‎2014 7:20 AM
To: Sergey Beryozkin<mailto:sberyozkin@gmail.com>
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

No worries.

Some of the people in the F2F piling on with discussion derailed  Hannes original question.
>  during the IETF #90 OAuth WG meeting, there was strong
>        consensus in
>        adopting the "OAuth Token Introspection"
>        (draft-richer-oauth-introspection-06.txt) specification as an
>        OAuth WG
>        work item.
>
>        We would now like to verify the outcome of this call for
>        adoption on the
>        OAuth WG mailing list. Here is the link to the document:
>        http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>
>        If you did not hum at the IETF 90 OAuth WG meeting, and have
>        an opinion
>        as to the suitability of adopting this document as a WG work
>        item,
>        please send mail to the OAuth WG list indicating your opinion
>        (Yes/No).
>
>        The confirmation call for adoption will last until August 10,
>        2014.  If
>        you have issues/edits/comments on the document, please send these
>        comments along to the list in your response to this Call for
>        Adoption.

People not in the room commenting and asking questions is expected.   People who expressed opinions in the room should avoid double counting by making it clear they hummed in the room, as our AD may not know everyone's face and name.

I don't know how I became the process monitor.   Normally I am the trouble maker.

I believe what passed for consensus in the room was that this ork is in scope for the WG and this document can serve as a starting point, but that there are things that need to be added.

I think Phil would like a use case document to flesh out peoples understanding.  Others who have been working on this longer are hesitant that doing a use case document without adopting Justin's document as a starting point, will stall the process.

We can however adopt Justin's doc and in parallel add a use case section as part of the doc or as a separate doc.

So if you were not in the F2F hum you need to express an opinion on if draft-richer-oauth-introspection-06.txt should be adopted by the WG item.

John B.
(PS I was in the room and hummed in favour of adopting this as a work item)

On Jul 30, 2014, at 8:05 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:

> Hi John
> On 30/07/14 14:59, John Bradley wrote:
>> No,  that those of us who we're fallowing the instructions not to comment if our hum was recorded in the room, should not hold back given the nature of the thread has changed.
>>
>> It was also an indication to the char that the original intent of the thread to judge consensus is impacted by some people who previously hummed piling on the thread.
>>
> I think I understand, thanks for the clarifications, though it appears to be more subtle to me that various OAuth2 technical ambiguities :-)
>> I am more than fine with discussion.  It probably should have been a different thread though.
>>
> Thanks, sorry for the noise anyway
>
> Sergey
>> John B.
>> Sent from my iPhone
>>
>>> On Jul 30, 2014, at 7:51 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>>>
>>>> On 30/07/14 14:42, John Bradley wrote:
>>>> This request for only those not at the F2F to add to the hum has gone a bit off the rails.
>>> Meaning you see too much feedback, is it bad, even if some of it may be off topic ?
>>>> For those not in the room there was discussion that the draft needed a method to deal with:
>>>> - Multiple AS
>>>> - Supporting the PoP specs
>>>> - stopping clients or other interceptors of the token from introspecting it.
>>>>
>>>> Justin stated that his implementation already had a number of those features.
>>>>
>>>> I offered to help get those into the spec as part of my support for making this a WG item.
>>>>
>>>> Yes if AS and RS are monolithic and there is only one software vendor, then this is not needed.
>>> Why not ? What is wrong with standardizing an introspection process which even RS & AS from the same vendor may want to use as opposed to every vendor inventing its own protocol ?
>>>
>>> This is why I thought focusing on the RS to 3rd party only diverts from the idea which I 'read' in the thread (may be I'm wrong), i.e, standardizing on the RS-to-AS communication, which may not have been considered,
>>>
>>> Cheers, Sergey
>>>
>>>>
>>>> On the other hand there is evidence that is not the case.
>>>>
>>>> John B.
>>>>
>>>>
>>>> Sent from my iPad
>>>>
>>>>> On Jul 30, 2014, at 3:45 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>>>>>
>>>>> +1.
>>>>>
>>>>> I've understood from what Justin said the idea is to introduce a standard way for RS to communicate to AS about the tokens issued by the AS. I think it is a good idea, I'd only not focus on the RS-to-3rd party AS communications because it complicates it a bit.
>>>>>
>>>>> Clearly it would be of help to implementers of OAuth2 filters protecting RS, having a new lengthy process to collect the cases seems to be a very administrative idea to me
>>>>>
>>>>> Thanks, Sergey
>>>>>
>>>>>> On 30/07/14 03:54, Phil Hunt wrote:
>>>>>> -100
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On Jul 29, 2014, at 17:52, Justin Richer <jricher@mit.edu
>>>>>> <mailto:jricher@mit.edu>> wrote:
>>>>>>
>>>>>>> Reading through this thread, it appears very clear to me that the use
>>>>>>> cases are very well established by a number of existing implementers
>>>>>>> who want to work together to build a common standard. I see no reason
>>>>>>> to delay the work artificially by creating a use case document when
>>>>>>> such a vast array of understanding and interest already exists. Any
>>>>>>> use cases and explanations of applications are welcome to be added to
>>>>>>> the working group draft as it progresses.
>>>>>>>
>>>>>>> -- Justin
>>>>>>>
>>>>>>>
>>>>>>>> On 7/29/2014 8:16 PM, Mike Jones wrote:
>>>>>>>>
>>>>>>>> Did you consider standardizing the access token format within that
>>>>>>>> deployment so all the parties that needed to could understand it,
>>>>>>>> rather requiring an extra round trip to an introspection endpoint so
>>>>>>>> as to be able to understand things about it?
>>>>>>>>
>>>>>>>> I realize that might or might not be practical in some cases, but I
>>>>>>>> haven’t heard that alternative discussed, so I thought I’d bring it up.
>>>>>>>>
>>>>>>>> I also second Phil’s comment that it would be good to understand the
>>>>>>>> use cases that this is intended to solve before embarking on a
>>>>>>>> particular solution path.
>>>>>>>>
>>>>>>>> -- Mike
>>>>>>>>
>>>>>>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George
>>>>>>>> Fletcher
>>>>>>>> *Sent:* Tuesday, July 29, 2014 3:25 PM
>>>>>>>> *To:* Phil Hunt; Thomas Broyer
>>>>>>>> *Cc:* oauth@ietf.org
>>>>>>>> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
>>>>>>>> Token Introspection" as an OAuth Working Group Item
>>>>>>>>
>>>>>>>> We also have a use case where the AS is provided by a partner and the
>>>>>>>> RS is provided by AOL. Being able to have a standardized way of
>>>>>>>> validating and getting data about the token from the AS would make
>>>>>>>> our implementation much simpler as we can use the same mechanism for
>>>>>>>> all Authorization Servers and not have to implement one off solutions
>>>>>>>> for each AS.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> George
>>>>>>>>
>>>>>>>> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>>>>>>>>
>>>>>>>>    Could we have some discussion on the interop cases?
>>>>>>>>
>>>>>>>>    Is it driven by scenarios where AS and resource are separate
>>>>>>>>    domains? Or may this be only of interest to specific protocols
>>>>>>>>    like UMA?
>>>>>>>>
>>>>>>>>    From a technique principle, the draft is important and sound. I
>>>>>>>>    am just not there yet on the reasons for an interoperable standard.
>>>>>>>>
>>>>>>>>    Phil
>>>>>>>>
>>>>>>>>
>>>>>>>>    On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com
>>>>>>>>    <mailto:t.broyer@gmail.com>> wrote:
>>>>>>>>
>>>>>>>>        Yes. This spec is of special interest to the platform we're
>>>>>>>>        building for http://www.oasis-eu.org/
>>>>>>>>
>>>>>>>>        On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig
>>>>>>>>        <hannes.tschofenig@gmx.net
>>>>>>>>        <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>>>>>>
>>>>>>>>        Hi all,
>>>>>>>>
>>>>>>>>        during the IETF #90 OAuth WG meeting, there was strong
>>>>>>>>        consensus in
>>>>>>>>        adopting the "OAuth Token Introspection"
>>>>>>>>        (draft-richer-oauth-introspection-06.txt) specification as an
>>>>>>>>        OAuth WG
>>>>>>>>        work item.
>>>>>>>>
>>>>>>>>        We would now like to verify the outcome of this call for
>>>>>>>>        adoption on the
>>>>>>>>        OAuth WG mailing list. Here is the link to the document:
>>>>>>>>        http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>>>>>>>
>>>>>>>>        If you did not hum at the IETF 90 OAuth WG meeting, and have
>>>>>>>>        an opinion
>>>>>>>>        as to the suitability of adopting this document as a WG work
>>>>>>>>        item,
>>>>>>>>        please send mail to the OAuth WG list indicating your opinion
>>>>>>>>        (Yes/No).
>>>>>>>>
>>>>>>>>        The confirmation call for adoption will last until August 10,
>>>>>>>>        2014.  If
>>>>>>>>        you have issues/edits/comments on the document, please send these
>>>>>>>>        comments along to the list in your response to this Call for
>>>>>>>>        Adoption.
>>>>>>>>
>>>>>>>>        Ciao
>>>>>>>>        Hannes & Derek
>>>>>>>>
>>>>>>>>
>>>>>>>>        _______________________________________________
>>>>>>>>        OAuth mailing list
>>>>>>>>        OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>        https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>        --
>>>>>>>>        Thomas Broyer
>>>>>>>>        /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>>>>>>>
>>>>>>>>        _______________________________________________
>>>>>>>>        OAuth mailing list
>>>>>>>>        OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>        https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>    _______________________________________________
>>>>>>>>
>>>>>>>>    OAuth mailing list
>>>>>>>>
>>>>>>>>    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>>>>
>>>>>>>>    https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>