Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
Justin Richer <jricher@mitre.org> Wed, 08 September 2010 16:45 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F4153A6873 for <oauth@core3.amsl.com>; Wed, 8 Sep 2010 09:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.506
X-Spam-Level:
X-Spam-Status: No, score=-6.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vB8ndxapdrvA for <oauth@core3.amsl.com>; Wed, 8 Sep 2010 09:45:25 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id B5A7A3A688E for <oauth@ietf.org>; Wed, 8 Sep 2010 09:45:17 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o88Gji0P002594 for <oauth@ietf.org>; Wed, 8 Sep 2010 12:45:44 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o88GjiTO002589; Wed, 8 Sep 2010 12:45:44 -0400
Received: from [129.83.50.65] (129.83.50.65) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server id 8.2.254.0; Wed, 8 Sep 2010 12:45:43 -0400
From: Justin Richer <jricher@mitre.org>
To: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
In-Reply-To: <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <DADD7EAD88AB484D8CCC328D40214CCD01C253AA42@EXPO10.exchange.mit.edu> <4C86A248.20501@alcatel-lucent.com> <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 08 Sep 2010 12:45:43 -0400
Message-ID: <1283964343.3809.318.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 7bit
Cc: Thomas Hardjono <hardjono@MIT.EDU>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 16:45:26 -0000
I've looked over this draft, and I don't think a lot of it is necessary under OAuth2.0. The protected resource no longer has any kind of client_id associated with it, so a client can take an access token and hand it off to any other client to use without any other information needed. To support this behavior, I can see two main things missing from the current OAuth2 spec: 1) The ability of the already-authorized client to ask for a new token for the purposes of handing off to another client, without bugging the user. This was the impetus for the re-scoping discussion on the list. Seems like we can use an assertion profile that uses the refresh or access token on the token 2) A mechanism for handing the token off between clients. At the very least, this could always happen out-of-band, but for some kinds of clients (both web servers, for example) we could define a way to request and hand off the credentials acquired in step 1 to the delegated client. -- Justin On Tue, 2010-09-07 at 17:15 -0400, Zeltsan, Zachary (Zachary) wrote: > Igor, > > The intention of the draft draft-vrancken-oauth-redelegation was to specify a mechanism for doing exactly what Thomas has described: > > ... User#1/Client#1 asks for > > an access token (to a given resource) with the > > intention of later handing over the access-token to > > a different User#2/Client#2 > The mechanism is design to support also the situation where > > User#2/Client#2 asks the Auth Server to "swap" (re-issue) > > this token for a different client_id (User#3/Client#3) > > The difference is that the mechanism of the draft-vrancken-oauth-redelegation relies on the "temporary credentials" and "token credentials", which were used in OAuth 1.0, and not on the access tokens. > > Zachary > -----Original Message----- > From: Igor Faynberg [mailto:igor.faynberg@alcatel-lucent.com] > Sent: Tuesday, September 07, 2010 4:36 PM > To: Thomas Hardjono; Zeltsan, Zachary (Zachary) > Cc: Brian Campbell; oauth > Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people > > Thomas, > > It looks to me like the intention in this use case is similar to that of > the "multilegged OAuth" (later renamed to the politically-correct > "recursive delegation"). This use case has been published in Bart's and > Zachary's draft. which has expired now. This case has moved into the > overall use case compilation document. > > Zachary, maybe you could shed some light here? > > Igor > > Thomas Hardjono wrote: > > __________________________________________ > > > > > >> -... > > > > What I meant to say is that User#1/Client#1 asks for > > an access token (to a given resource) with the > > intention of later handing over the access-token to > > a different User#2/Client#2. > > > > Ideally, this model could be extensible where > > User#2/Client#2 asks the Auth Server to "swap" (re-issue) > > this token for a different client_id (User#3/Client#3). > > > > However, this bring us into space of role based access > > control and permissions, which would somewhat complicate > > the Oauth 2.0 authorization model :) > > > > /thomas/ > > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Delegation -- RE: SAML profile comment… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Justin Richer
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono