Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Sergey Beryozkin <sberyozkin@gmail.com> Wed, 30 July 2014 07:45 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 209641ABB33 for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 00:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjXmgs3hCeFL for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 00:45:40 -0700 (PDT)
Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com [IPv6:2a00:1450:400c:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94F871ABB2F for <oauth@ietf.org>; Wed, 30 Jul 2014 00:45:40 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id k14so756769wgh.8 for <oauth@ietf.org>; Wed, 30 Jul 2014 00:45:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=jv8Oo0hTXbih7xpK0/PgK7X6ukxN43vSo4zeDvyyRZk=; b=MW0qUIgpE0+VhRNQ0hdQlde3v5NMJKQjaXdM8vhmKv6thPBMdKbCeL5n6HJC3sPdhk cS0tgCnHxLEpnSdL62gHCRHY3oaVZjHgv6Urm8hzgfOP5R6WuQPdp6aBH9FeKGjpCuKA UfEPpPL/gzP6ZFLrMkF6urMBw2WfMydWLH9XPNr1foeTUldh3/pZuuMXNhO+iKrlFa8+ JnVNA4eXSozC1f2RPkoNDykLqh4KpnOvaNjwaSl99CZWigTfx/ETlDnvigE8yiZKqPqd t1k+KZXmxvcz9LFdGbn6rykShiKIlhmBMHoTEdLSZ/GhTdJDeZ0o6XyLTEbeILNanJ1Z krQA==
X-Received: by 10.180.186.3 with SMTP id fg3mr4325628wic.78.1406706339246; Wed, 30 Jul 2014 00:45:39 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id dj2sm52450360wib.11.2014.07.30.00.45.38 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Jul 2014 00:45:38 -0700 (PDT)
Message-ID: <53D8A2A0.5040205@gmail.com>
Date: Wed, 30 Jul 2014 10:45:36 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com> <53D841D3.6020505@mit.edu> <311A2204-E968-4657-BD27-58DCD072542A@oracle.com>
In-Reply-To: <311A2204-E968-4657-BD27-58DCD072542A@oracle.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/MhEFUvcnHByeXeWialdJrRzd7uA
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 07:45:43 -0000

+1.

I've understood from what Justin said the idea is to introduce a 
standard way for RS to communicate to AS about the tokens issued by the 
AS. I think it is a good idea, I'd only not focus on the RS-to-3rd party 
AS communications because it complicates it a bit.

Clearly it would be of help to implementers of OAuth2 filters protecting 
RS, having a new lengthy process to collect the cases seems to be a very 
administrative idea to me

Thanks, Sergey

On 30/07/14 03:54, Phil Hunt wrote:
> -100
>
> Phil
>
> On Jul 29, 2014, at 17:52, Justin Richer <jricher@mit.edu
> <mailto:jricher@mit.edu>> wrote:
>
>> Reading through this thread, it appears very clear to me that the use
>> cases are very well established by a number of existing implementers
>> who want to work together to build a common standard. I see no reason
>> to delay the work artificially by creating a use case document when
>> such a vast array of understanding and interest already exists. Any
>> use cases and explanations of applications are welcome to be added to
>> the working group draft as it progresses.
>>
>>  -- Justin
>>
>>
>> On 7/29/2014 8:16 PM, Mike Jones wrote:
>>>
>>> Did you consider standardizing the access token format within that
>>> deployment so all the parties that needed to could understand it,
>>> rather requiring an extra round trip to an introspection endpoint so
>>> as to be able to understand things about it?
>>>
>>> I realize that might or might not be practical in some cases, but I
>>> haven’t heard that alternative discussed, so I thought I’d bring it up.
>>>
>>> I also second Phil’s comment that it would be good to understand the
>>> use cases that this is intended to solve before embarking on a
>>> particular solution path.
>>>
>>> -- Mike
>>>
>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George
>>> Fletcher
>>> *Sent:* Tuesday, July 29, 2014 3:25 PM
>>> *To:* Phil Hunt; Thomas Broyer
>>> *Cc:* oauth@ietf.org
>>> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
>>> Token Introspection" as an OAuth Working Group Item
>>>
>>> We also have a use case where the AS is provided by a partner and the
>>> RS is provided by AOL. Being able to have a standardized way of
>>> validating and getting data about the token from the AS would make
>>> our implementation much simpler as we can use the same mechanism for
>>> all Authorization Servers and not have to implement one off solutions
>>> for each AS.
>>>
>>> Thanks,
>>> George
>>>
>>> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>>>
>>>     Could we have some discussion on the interop cases?
>>>
>>>     Is it driven by scenarios where AS and resource are separate
>>>     domains? Or may this be only of interest to specific protocols
>>>     like UMA?
>>>
>>>     From a technique principle, the draft is important and sound. I
>>>     am just not there yet on the reasons for an interoperable standard.
>>>
>>>     Phil
>>>
>>>
>>>     On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com
>>>     <mailto:t.broyer@gmail.com>> wrote:
>>>
>>>         Yes. This spec is of special interest to the platform we're
>>>         building for http://www.oasis-eu.org/
>>>
>>>         On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig
>>>         <hannes.tschofenig@gmx.net
>>>         <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>
>>>         Hi all,
>>>
>>>         during the IETF #90 OAuth WG meeting, there was strong
>>>         consensus in
>>>         adopting the "OAuth Token Introspection"
>>>         (draft-richer-oauth-introspection-06.txt) specification as an
>>>         OAuth WG
>>>         work item.
>>>
>>>         We would now like to verify the outcome of this call for
>>>         adoption on the
>>>         OAuth WG mailing list. Here is the link to the document:
>>>         http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>>
>>>         If you did not hum at the IETF 90 OAuth WG meeting, and have
>>>         an opinion
>>>         as to the suitability of adopting this document as a WG work
>>>         item,
>>>         please send mail to the OAuth WG list indicating your opinion
>>>         (Yes/No).
>>>
>>>         The confirmation call for adoption will last until August 10,
>>>         2014.  If
>>>         you have issues/edits/comments on the document, please send these
>>>         comments along to the list in your response to this Call for
>>>         Adoption.
>>>
>>>         Ciao
>>>         Hannes & Derek
>>>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>         --
>>>         Thomas Broyer
>>>         /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>
>>>     OAuth mailing list
>>>
>>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>