Re: [OAUTH-WG] Signatures...what are we trying to solve?
George Fletcher <gffletch@aol.com> Tue, 28 September 2010 15:38 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A57DE3A6D24 for <oauth@core3.amsl.com>; Tue, 28 Sep 2010 08:38:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.669
X-Spam-Level:
X-Spam-Status: No, score=-1.669 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mb+R4ai2Jfqi for <oauth@core3.amsl.com>; Tue, 28 Sep 2010 08:38:03 -0700 (PDT)
Received: from imr-mb01.mx.aol.com (imr-mb01.mx.aol.com [64.12.207.164]) by core3.amsl.com (Postfix) with ESMTP id C9BF03A6953 for <oauth@ietf.org>; Tue, 28 Sep 2010 08:38:02 -0700 (PDT)
Received: from mtaout-da04.r1000.mx.aol.com (mtaout-da04.r1000.mx.aol.com [172.29.51.132]) by imr-mb01.mx.aol.com (8.14.1/8.14.1) with ESMTP id o8SFcZjI017898; Tue, 28 Sep 2010 11:38:35 -0400
Received: from palantir.local (unknown [10.181.183.128]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 9FEC0E0000AF; Tue, 28 Sep 2010 11:38:35 -0400 (EDT)
Message-ID: <4CA20BFC.90704@aol.com>
Date: Tue, 28 Sep 2010 11:38:36 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: OAuth WG <oauth@ietf.org>
References: <AANLkTimERshG-ndU8_uc0NJhx6ree6d8kxYj=EVeHpmA@mail.gmail.com>
In-Reply-To: <AANLkTimERshG-ndU8_uc0NJhx6ree6d8kxYj=EVeHpmA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------030002080708040809080202"
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:414250016:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33844ca20bfb0760
X-AOL-IP: 10.181.183.128
Subject: Re: [OAUTH-WG] Signatures...what are we trying to solve?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 15:38:04 -0000
I think of the signature issues as falling into two classes... I think they map to your classification as well... * *Signing tokens* is important for interoperability especially looking forward to a time when tokens issued by multiple Authorization Servers are accepted at a given host. * *Signing messages* is important because it provides a mechanism to ensure that the entity making the API call (and presenting an access token) is really the entity that is allowed to make the API call. Signing messages applies to the re-delegation use cases. I've heard the need for this class of use cases from both the hData (health data) community as well as the user managed access (UMA) community. Signing tokens covers both your second class of tokens as well as another use case that Eran has mentioned as well. Namely, a protected resource server honoring tokens from multiple Authorization Servers. These are the two classes of use cases that I'd like to see solved. Thanks, George On 9/28/10 12:58 AM, David Recordon wrote: > If you know me then you'll know that I'm generally one of the last > people to talk about Alice and Bob. That said, there are a lot of > technical proposals flying across the list with very little shared > understanding of the problem(s) we're trying to solve. > > From what I've seen there are two distinct classes of signature use cases. > 1) The first is where the HTTP request parameters must be part of the > signature. An example is any OAuth 1.0a style API where you want to > make sure that the HTTP POST your server just received isn't > masquerading itself as a GET. > 2) The second is where the HTTP request is orthogonal. An example > is OpenSocial where the server is sending state information to the > client such as what user is currently logged in. > > The main practical example I have of the first use case is what > Twitter wants to do with redelegation. In this case TweetDeck can't > given TwitPic it's own bearer token, but needs to sign the POST > request and pass that signature to TwitPic for it to include in the > final API request to Twitter. > > In terms of signing protected resource requests, I haven't heard > anyone bring up specific and detailed needs for this recently. > > JSON tokens pretty clearly make sense for the second class of > signature use cases and it's actually a bit hard to argue why they > would be a part of OAuth. Facebook shipped this a bit over a month ago > for canvas applications. We include a `signed_request` parameter which > is signature.base64url(JSON). Parsing it is 18 lines of PHP. > http://developers.facebook.com/docs/authentication/canvas > > This second class of use case will also be required by OpenID Connect > where the server is signing identity information and sending it to the > client. I imagine that OpenSocial will also still have it and wish to > continue relying on public key algorithms. > > So a few questions: > * Do we want to tackle both of these classes of signatures in OAuth? > * Why do you consider the second class part of OAuth versus something > completely separate that might happen to include an OAuth access token? > * Is the Twitter redelegation use case the right focus for the first > class? > * Is there an example of an OAuth 2.0 server that can't use bearer > tokens for protected resource requests and thus requires signatures? > > Thanks, > --David > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Signatures...what are we trying to sol… David Recordon
- Re: [OAUTH-WG] Signatures...what are we trying to… George Fletcher
- Re: [OAUTH-WG] Signatures...what are we trying to… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures...what are we trying to… William Mills
- Re: [OAUTH-WG] Signatures...what are we trying to… George Fletcher
- [OAUTH-WG] Signatures don't solve that problem (w… Freeman, Tim
- Re: [OAUTH-WG] Signatures don't solve that proble… George Fletcher
- Re: [OAUTH-WG] Signatures don't solve that proble… Igor Faynberg
- Re: [OAUTH-WG] Signatures don't solve that proble… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Signatures don't solve that proble… Freeman, Tim
- Re: [OAUTH-WG] Signatures...what are we trying to… Prateek Mishra
- Re: [OAUTH-WG] Signatures...what are we trying to… George Fletcher
- Re: [OAUTH-WG] Signatures...what are we trying to… Freeman, Tim