IETF Logo Mail Archive

Re: [OAUTH-WG] Oauth Server to Server

Antonio Sanso <asanso@adobe.com> Fri, 27 September 2013 08:56 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69FC011E8133 for <oauth@ietfa.amsl.com>; Fri, 27 Sep 2013 01:56:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.669
X-Spam-Level:
X-Spam-Status: No, score=-4.669 tagged_above=-999 required=5 tests=[AWL=-0.526, BAYES_00=-2.599, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VqehdkrsL07 for <oauth@ietfa.amsl.com>; Fri, 27 Sep 2013 01:56:03 -0700 (PDT)
Received: from exprod6og103.obsmtp.com (exprod6og103.obsmtp.com [64.18.1.185]) by ietfa.amsl.com (Postfix) with ESMTP id A7F9A21F967F for <oauth@ietf.org>; Fri, 27 Sep 2013 01:55:59 -0700 (PDT)
Received: from outbound-smtp-2.corp.adobe.com ([193.104.215.16]) by exprod6ob103.postini.com ([64.18.5.12]) with SMTP ID DSNKUkVIHw1PrNpTNYsgTUHtf4Vvar8DhJoD@postini.com; Fri, 27 Sep 2013 01:56:02 PDT
Received: from inner-relay-1.corp.adobe.com (ms-exchange.macromedia.com [153.32.1.51]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r8R8tv49007103; Fri, 27 Sep 2013 01:55:58 -0700 (PDT)
Received: from nahub01.corp.adobe.com (nahub01.corp.adobe.com [10.8.189.97]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r8R8tu6A023235; Fri, 27 Sep 2013 01:55:57 -0700 (PDT)
Received: from SJ1GWM332.corp.adobe.com (10.5.79.97) by nahub01.corp.adobe.com (10.8.189.97) with Microsoft SMTP Server (TLS) id 8.3.327.1; Fri, 27 Sep 2013 01:55:56 -0700
Received: from eurcas01.eur.adobe.com (10.128.4.27) by SJ1GWM332.corp.adobe.com (10.5.79.97) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 27 Sep 2013 01:55:56 -0700
Received: from [10.132.1.66] (10.132.1.66) by eurcas01.eur.adobe.com (10.128.4.111) with Microsoft SMTP Server id 8.3.327.1; Fri, 27 Sep 2013 09:55:53 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail=_B916AFED-B615-4A8E-8F95-C53E1731236A"
MIME-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Antonio Sanso <asanso@adobe.com>
In-Reply-To: <CA+wnMn-pbCFoaXqdhE2oJY3Db14ViroN7_axmnsR+D7_yYqEkQ@mail.gmail.com>
Date: Fri, 27 Sep 2013 10:55:48 +0200
Message-ID: <067007A7-1CDD-4623-B23F-CAF0BE5A21C9@adobe.com>
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <CA+k3eCSVwT15wBwuCZNy1EuiVOSwVg+TThVvWnbwZ1wHVvfA-A@mail.gmail.com> <7558541E-3517-4F71-A049-6143D4247738@adobe.com> <1510634430014420341@unknownmsgid> <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com> <CA+wnMn8gV-eZtQNvQ4-EPXS8-M2Jn1mpkLgUJ4NHB4BHYEyLZw@mail.gmail.com> <EDA1F2F2-875B-4A6C-9330-383F903C4471@adobe.com> <CA+wnMn-pbCFoaXqdhE2oJY3Db14ViroN7_axmnsR+D7_yYqEkQ@mail.gmail.com>
To: Chuck Mortimore <cmortimore@salesforce.com>
X-Mailer: Apple Mail (2.1510)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 08:56:08 -0000

Thanks Chuck

On Sep 24, 2013, at 6:56 PM, Chuck Mortimore <cmortimore@salesforce.com> wrote:

> Open to how it can be improved.   What information do you think would be helpful?   ( we may be too close to the situation to know what's missing )

I am reading carefully the 2 specs now (assertion and JWT bearer) and will try to provide my feedback :)

A couple of (early) consideration so far:

- in order for somebody to easily achieve/understand what is clearly described in http://login.salesforce.com/help/doc/en/remoteaccess_oauth_jwt_flow.htm only reading the IETF materials is needed to read 3 specs (OAuth Core, Assertion spec and JWT bearer). IT would be nice for example if the JWT bearer spec would add some more hands on example (I do not know if it is possible though)
- The assertion spec (http://tools.ietf.org/html/draft-ietf-oauth-assertions-12) contains terms like and include those terms in the flow charts as Relying party , Token Service that I know are really common in the Identity jargon (or Open ID Connect specs) but this nomenclature doesn't match with the OAuth core specs (namely RFC 6749)

just my 0.02 $ so far (more to come)

regards

antonio

> 
> 
> On Tue, Sep 24, 2013 at 11:38 AM, Antonio Sanso <asanso@adobe.com> wrote:
> Hi Chuck,
> 
> On Sep 24, 2013, at 6:56 PM, Chuck Mortimore <cmortimore@salesforce.com> wrote:
> 
>> What you're describing is exactly what the JWT bearer flow specs out
>> 
>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer 
>> 
>> We've got the exact same flow, and there are other implementations out there.   http://login.salesforce.com/help/doc/en/remoteaccess_oauth_jwt_flow.htm
> 
> 
> thanks this is indeed the same :) What it looks to me though is that the information contained in the second link you shared (http://login.salesforce.com/help/doc/en/remoteaccess_oauth_jwt_flow.htm) are complementary to the jet bearer spec draft.
> 
> People that will only read that spec would need to figure out all on their own . Is there any chance the oauth bearer draft will cover the actual use case as well or it would be too much ?
> 
> Regards
> 
> Antonio
> 
>> 
>> 
>> On Tue, Sep 24, 2013 at 8:17 AM, Antonio Sanso <asanso@adobe.com> wrote:
>> Hi chuck,
>> 
>> 
>> On Sep 24, 2013, at 4:57 PM, Chuck Mortimore <cmortimore@salesforce.com> wrote:
>> 
>>> I'm not sure I understand your point here.   I don't believe there is anything custom or special about the google implementation here vs JWT.   It looks identical to our implementation.  
>>> 
>>> Can you elaborate?
>> 
>> sure.
>> 
>> What is novel IMHO in the Google approach is not the bearer format , that is still JWT (or JWS in this case) but the overall scenario.
>> 
>> As I see OAuth 2 is really good to cover use cases where there is human interaction (so an user namely the resource owner can provider username and password to the AS but not to the client and get back the Bearer Token).
>> This is obviously covered from [2] and [3] namely Authorization Code Grant and Implicit grant flow.
>> 
>> When there is not human interaction involved what RFC6749 offers is the already cited Resource Owner Password Credentials Grant that IMHO is a no go since it required the resource owner to share his password with the client.
>> 
>> The way as Google offers to solve the same situation (namely obtain , or create in this case, a bearer token without having the resource owner password) is using asymmetric cryptography. What is happening is that quoting
>> 
>> "During the creation of a Service Account, you will be prompted to download a private key. Be sure to save this private key in a secure location. After the Service Account has been created, you will also have access to the client_id associated with the private key."
>> 
>> An alternative mentioned from John Bradley previously is that clients can securely generate key pairs but in terms of security would be identical.
>> 
>> I hope is a bit clearer now  :)
>> 
>> regards
>> 
>> antonio
>> 
>> 
>> [2] http://tools.ietf.org/html/rfc6749#section-4.1
>> [3] http://tools.ietf.org/html/rfc6749#section-4.2
>> 
>>> 
>>> - cmort
>>> 
>>> On Sep 24, 2013, at 5:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
>>> 
>>>> Hi Brian,
>>>> 
>>>> thanks a lot for your pointer.
>>>> 
>>>> What the custom Google flow provides more than the oauth jwt bearer draft is IMHO an explicit way to build JWT without any 'human interaction' so a server can handle the construction of an expired JWT bearer token on his own.
>>>> 
>>>> This can of course be figured out by any implementer (as the Google folks obviously did) but it would be nice to provide this black on white on a spec IMHO
>>>> 
>>>> regards
>>>> 
>>>> Antonio
>>>> 
>>>> 
>>>> On Sep 24, 2013, at 2:35 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>>> 
>>>>> Might this http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer be what you're looking for?
>>>>> 
>>>>> 
>>>>> On Tue, Sep 24, 2013 at 6:08 AM, Antonio Sanso <asanso@adobe.com> wrote:
>>>>> Hi *,
>>>>> 
>>>>> apologis to be back to this argument :).
>>>>> 
>>>>> Let me try to better explain one use case that IMHO would be really good to have in the OAuth specification family :)
>>>>> 
>>>>> At the moment the only "OAuth standard" way I know to do OAuth server to server is to use [0] namely Resource Owner Password Credentials Grant.
>>>>> 
>>>>> Let me tell I am not a big fun of this particular flow :) (but this is another story).
>>>>> 
>>>>> An arguable better way to solve this scenario is to user (and why not to standardise :S?) the method used by Google (or a variant of it) see [1].
>>>>> 
>>>>> Couple of more things:
>>>>> 
>>>>> - I do not know if Google would be interested to put some effort to standardise it (is anybody from Google lurking :) e.g.Tim Bray :D )
>>>>> - I am not too familiar with IETF process. Would the OAuth WG take in consideration such proposal draft??
>>>>> 
>>>>> Thanks and regards
>>>>> 
>>>>> Antonio
>>>>> 
>>>>> [0] http://tools.ietf.org/html/rfc6749#section-4.3
>>>>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
> 
>

v2.23.0 | Report a Bug | By Email