[OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us

Mike Jones <Michael.Jones@microsoft.com> Mon, 14 December 2015 08:05 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13E331A020B for <oauth@ietfa.amsl.com>; Mon, 14 Dec 2015 00:05:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rw_FTsFBsJJl for <oauth@ietfa.amsl.com>; Mon, 14 Dec 2015 00:05:46 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0784.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:784]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9CAE1A01FC for <oauth@ietf.org>; Mon, 14 Dec 2015 00:05:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Q+Xszt+obUq19VYavgEhY43nyTmp80ySOzXAi+UzGDk=; b=Iy8RowCI7NDIAEkrnNU+uB5WI/MUDgYqOV36ly5rnxjUTscVDzbLWsYEknfn+0XzvzoiQmqiRmyGN55KPk0Pj8cuvvIU3Tx1i09O2xw8ENF4bs7NAHTVaPCesPDL293ke07bVvedG7EPGQsvvKIzpmUT2AxNs8unjeyycTZv9/g=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.355.16; Mon, 14 Dec 2015 08:05:29 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0355.012; Mon, 14 Dec 2015 08:05:29 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth 2.0 Token Exchange: An STS for the REST of Us
Thread-Index: AdE2QTL6bORc7Ai2To2NOnDbcDUZsg==
Date: Mon, 14 Dec 2015 08:05:28 +0000
Message-ID: <BY2PR03MB442F1857A7B1936D83F18DCF5ED0@BY2PR03MB442.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [188.92.133.18]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:7c/lgc+wP3J4eFvG99LeSST9rPWbyjK/9FKexO38djDBQg/8KFraMdq8YGLd76ZJsgK+i8rhgKqvGo3M9FWuOj86epF+iiFoRL51918RDozhn0mSbURS/BtSnnCbW0R/Wn+28rgwR/VmiIwqoW8h2g==; 24:lEGquN2Zwo4QZ07V/7JRTcmeNYX4ruTitFcbZ6wb1h3kATvsp2U62SOV+RQf2bEfqfu5fZd1g6ROWSbqeveuv5jNluMQw0iR44qRDVfajTo=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <BY2PR03MB44314BF82D429F639CA0A7AF5ED0@BY2PR03MB443.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 0790FB1F33
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(54164003)(199003)(189002)(74316001)(19625215002)(2501003)(450100001)(16236675004)(33656002)(2900100001)(5003600100002)(5002640100001)(92566002)(15975445007)(77096005)(790700001)(102836003)(10090500001)(101416001)(6116002)(2351001)(3846002)(586003)(5004730100002)(5008740100001)(19617315012)(229853001)(10290500002)(66066001)(10400500002)(105586002)(1220700001)(99286002)(19300405004)(8990500004)(54356999)(76576001)(11100500001)(86362001)(5005710100001)(122556002)(40100003)(50986999)(1730700002)(97736004)(5001960100002)(107886002)(81156007)(19580395003)(110136002)(87936001)(189998001)(86612001)(1096002)(106356001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442F1857A7B1936D83F18DCF5ED0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2015 08:05:28.8665 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/OJEXkXFbS6RXCWX_u1gM7Sbwy-Y>
Subject: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2015 08:05:51 -0000

I'm happy to report that a substantially revised OAuth 2.0 Token Exchange draft has been published that enables a broad range of use cases, while still remaining as simple as possible.  This draft unifies the approaches taken in the previous working group draft and draft-campbell-oauth-sts, incorporating working group input from the in-person discussions in Prague and mailing list discussions.  Thanks to all for your interest in and contributions to OAuth Token Exchange!  Brian Campbell deserves special recognition for doing much of the editing heavy lifting for this draft.

The core functionality remains token type independent.  That said, new claims are also defined to enable representation of delegation actors in JSON Web Tokens (JWTs).  Equivalent claims could be defined for other token types by other specifications.

See the Document History section for a summary of the changes made.  Please check it out!

The specification is available at:

*       http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-03

An HTML-formatted version is also available at:

*       http://self-issued.info/docs/draft-ietf-oauth-token-exchange-03.html

                                                          -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=1509 and as @selfissued<https://twitter.com/selfissued>.