Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token-exchange-14.txt> (OAuth 2.0 Token Exchange) to Proposed Standard
Hans Zandbelt <hans.zandbelt@zmartzone.eu> Sun, 26 August 2018 15:00 UTC
Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49C10130E07 for <oauth@ietfa.amsl.com>; Sun, 26 Aug 2018 08:00:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id udwhhLZrKV8c for <oauth@ietfa.amsl.com>; Sun, 26 Aug 2018 08:00:31 -0700 (PDT)
Received: from mail-it0-x242.google.com (mail-it0-x242.google.com [IPv6:2607:f8b0:4001:c0b::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 017C1130E09 for <oauth@ietf.org>; Sun, 26 Aug 2018 08:00:30 -0700 (PDT)
Received: by mail-it0-x242.google.com with SMTP id d10-v6so7871863itj.5 for <oauth@ietf.org>; Sun, 26 Aug 2018 08:00:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=+JwRsIISHf06Z3SC8kjFrjHRmbGkLbcKWVsnYzrUrLg=; b=ri5J/SH7rKsLSY+fwibnwHFeFENj/ZvbDJQD4AM+MGWuI1P9+TfSvb34EyFybMmxMd t1+sG1qE+v/b5fFZye2om86r2TmOAyCMkK0cYymQoXRB6Rj2Eomfyr77wCA3AWkDI3kg 2lOP6/Kfa3kinItLzhnenXIxTanDdXaaLOfvHF/XBwgOtmMDudzFWngHaw3P7qOtaQhh BS2EieUbNjHVelrts2BNsE3qKaL7iJEE4v1MQlYuYUAuBwIr1NZ0k6GiC4UOr+i8zCGi w492Afl+KDu/B4HPmnh6Wbtz1q4gfSwIreg87pcoU52y+mP7qFTs61tglToIzOzKQbea x4HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=+JwRsIISHf06Z3SC8kjFrjHRmbGkLbcKWVsnYzrUrLg=; b=b4tCiJrbSHp1CUUZZZAIx7PSoMf/xxgD1U2UDZgutqTLR/31+ADwXmrgZg89wiObYy +Tk5xGsvCaesoM4/u3wigpyZTk/s/AdH3Hg/CzC1kH603rmYkip5E/zJXEWmxycZLZ2W kB262fzvl0+qQ/wEGwXjy7O/qsc387dsUOfX5mt/DkGe901+go5WMOS6LZKJcKi8xL1n /U8WEZOLtXTPRoSs8hSVgGGijte0u7QpZ3dQ0eQv/mbJcjY6C/NPlUruFpIViqZQIG6Y OrsiwPUWnG+WVrFyj4tS3RmnXK/DmbHFoXWA2WVo+PpvshiDjnREuymUZOkkFdsb6+o2 fhdg==
X-Gm-Message-State: APzg51DG6dqNjXq5IYY7871/SDy6jgjcM23fPvqzw9sqzaqqh2hDR0JJ ZAegd3qxb39BuqAlEN5mtia5nLszGxTiI5FHWb1FTUlx7BXizw==
X-Google-Smtp-Source: ANB0VdZ2/IEjg7Jwu68Rgr17JdoCdyHJ4KYDuNt1f1TF4BpbdCH96FfQcuiNlmKXAQssbmVohwtV0WnlLqXNOYmZui8=
X-Received: by 2002:a24:19d5:: with SMTP id b204-v6mr4553747itb.25.1535295629928; Sun, 26 Aug 2018 08:00:29 -0700 (PDT)
MIME-Version: 1.0
References: <153235205852.20315.16316852302695725778.idtracker@ietfa.amsl.com>
In-Reply-To: <153235205852.20315.16316852302695725778.idtracker@ietfa.amsl.com>
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Sun, 26 Aug 2018 17:00:18 +0200
Message-ID: <CA+iA6ugcGiiN9maS+cp0oTxeh1v+udBg2UYa1qv_f76usNgh+w@mail.gmail.com>
To: draft-ietf-oauth-token-exchange@ietf.org, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a5c4be057457de0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/N0Yjm1apI1HangKMiMCYk2zdU-s>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token-exchange-14.txt> (OAuth 2.0 Token Exchange) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Aug 2018 15:00:34 -0000
Hi all (and Brian :-)), Whilst implementing the client side of OAuth 2.0 Token Exchange into an Apache module I ran into some questions wrt. authentication to the token exchange endpoint as specified in section 2.1: https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-14#section-2.1 1. the spec talks about "client" but it does not explicitly state that a token exchange client is in fact an OAuth 2.0 Client; IMHO this is done only implicitly since section 2.1 does refer to OAuth 2.0 client authentication methods (alternatively, if the spec editors believe that a token exchange client is different from a "classic" OAuth 2.0 Client, that should be made explicit) 2. the spec leaves it open as to whether the client is actually forced to authenticate (it is up to the authorization server's discretion); yet it is not clear - in that case - whether or not a client_id should be added to the token request (as in OAuth 2.0 token requests); alternatively one may argue that token exchange for public clients makes no sense - I think I favor that - because it makes it impossible to distinguish between the presenter of the original token and the token exchange client Any comments to that? Hans. On Mon, Jul 23, 2018 at 3:22 PM The IESG <iesg-secretary@ietf.org> wrote: > > The IESG has received a request from the Web Authorization Protocol WG > (oauth) to consider the following document: - 'OAuth 2.0 Token Exchange' > <draft-ietf-oauth-token-exchange-14.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits final > comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2018-08-06. Exceptionally, comments may be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of > the Subject line to allow automated sorting. > > Abstract > > > This specification defines a protocol for an HTTP- and JSON- based > Security Token Service (STS) by defining how to request and obtain > security tokens from OAuth 2.0 authorization servers, including > security tokens employing impersonation and delegation. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- hans.zandbelt@zmartzone.eu ZmartZone IAM - www.zmartzone.eu
- [OAUTH-WG] Last Call: <draft-ietf-oauth-token-exc… The IESG
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token… Hans Zandbelt
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token… Brian Campbell