[OAUTH-WG] Question about usage of OAuth between servers

Lisa Li1 <Lisa_Li1@symantec.com> Tue, 30 June 2015 02:18 UTC

Return-Path: <Lisa_Li1@symantec.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 6EA9E1B2F25 for <oauth@ietfa.amsl.com>; Mon, 29 Jun 2015 19:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id r8eTg8Pc_So3 for <oauth@ietfa.amsl.com>; Mon, 29 Jun 2015 19:18:01 -0700 (PDT)
Received: from tus1smtoutpex01.symantec.com (tus1smtoutpex01.symantec.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB7FC1B2F2E for <oauth@ietf.org>; Mon, 29 Jun 2015 19:18:01 -0700 (PDT)
X-AuditID: d80ac3f1-f79fd6d0000022fa-ed-5591fc594260
Received: from tus1smtintpin01.ges.symantec.com (tus1smtintpin01.ges.symantec.com []) by tus1smtoutpex01.symantec.com (Symantec Brightmail Gateway out) with SMTP id 76.44.08954.95CF1955; Tue, 30 Jun 2015 03:18:01 +0100 (BST)
Received: from [] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by tus1smtintpin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Lisa_Li1@symantec.com>) id 1Z9l7Z-0009zy-6F for oauth@ietf.org; Tue, 30 Jun 2015 02:18:01 +0000
Received: from APJ1XCHEVSPIN36.SYMC.SYMANTEC.COM ([]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([]) with mapi; Mon, 29 Jun 2015 19:17:34 -0700
From: Lisa Li1 <Lisa_Li1@symantec.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Mon, 29 Jun 2015 19:18:00 -0700
Thread-Topic: Question about usage of OAuth between servers
Thread-Index: AdCy13ifnh0LhdmHSDKMx0axfcfp0w==
Message-ID: <47E83806AE926749BB17D1020685E6901903F0CC5F@APJ1XCHEVSPIN36.SYMC.SYMANTEC.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
acceptlanguage: en-US
Content-Type: multipart/related; boundary="_004_47E83806AE926749BB17D1020685E6901903F0CC5FAPJ1XCHEVSPIN_"; type="multipart/alternative"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrPIsWRmVeSWpSXmKPExsVyYMX1VN3IPxNDDb7eF7A4+fYVmwOjx5Il P5kCGKO4bFJSczLLUov07RK4Mg7v38hWcGoyY8WfPbOZGxg/dzB2MXJySAiYSKyfuALKFpO4 cG89WxcjF4eQwEdGiZ8PVjNCOL8ZJc7NesAEUiUksJJR4s13ZhCbTUBN4uzCxewgtoiAqsS+ o1fAbBYge9G2+2C2sICZxLZNN6BqrCWOrH3NCmHrSRxe/wTM5hWIkji3dRkbiM0IdMX3U2vA djELiEvcejKfCeI6EYmHF0+zQdiiEi8f/2OFqBeVuNO+HuxQZoFuRokrm++zQQwVlDg58wnL BEbhWUhmzUJWNwtJHURRvsS2+6fZIGwdiQW7P0HZ2hLLFr5mhrHPHHjMhCmuIzFz5w2oOYoS x49ehVq2lFGi7+xRVpii9svvGWGKpnQ/ZF/AyLuKUaaktNiwOLckv7SkILXCwFCvuDI3ERjR yXrJ+bmbGIFRfYPr8McdjEf3Oh5iFOBgVOLhDXw/MVSINbEMqPIQowrQuEcbVl9glGLJy89L VRLhZYoFSvOmJFZWpRblxxeV5qQWH2KU5mBREufVXtQcKiSQnliSmp2aWpBaBJNl4uCUamDM 5bhlU1tXa7jBdPLbV+9tS5P2MTfo7gve+CHvaXvT4qRZ2qt60/YXbNFauHzRWnuuCzxh/mZc j8vvfptTd2p5++kbpZWPE6oeHNlo0dZt98ZgS1TjpxzVrZqxPzZfcd+2bKn3vm0flM9x7LHk OLfl1Bw17ze1F5RW3Lu8rttqT2aS2rsl/u1aSizFGYmGWsxFxYkASiJyzfICAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Li3htPv1su-I8sUhh8TCW6xZr5k>
X-Mailman-Approved-At: Thu, 02 Jul 2015 08:59:36 -0700
Subject: [OAUTH-WG] Question about usage of OAuth between servers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 02:20:01 -0000

Hi All

This is Lisa.
Our project is adopting OAuth 2 as authentication specification.
For the client-server communication, OAuth token works fine. But we have some cases of server to server communication, usually it will be multiple tasks running in parallel or sequence or even in multiple threads. In this case, we are not sure we should reuse the access token grant by end user or create another token? Moreover, if token is expired in 30 min, we are able to do refresh but may meet some issue on the token consistency between each task, thus it might be refreshed again and again...

But with OAuth 1.0, since it will not expired and we don't have to do refresh, it will work fine.

So for OAuth 2.0, what's your consideration for server to server communication scenario? Or do you have any suggestion here?


Lisa Li
Principal Software Engineer
Symantec Corporation

Office: (010) 6272 5127  /  Mobile: 189 1057 2219


This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.