Re: [OAUTH-WG] Comments on draft-richer-oauth-introspection-04
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 25 October 2013 17:28 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA92211E8201 for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2013 10:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vN-u9hSgmBUG for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2013 10:28:18 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by ietfa.amsl.com (Postfix) with ESMTP id 3FFC411E81B6 for <oauth@ietf.org>; Fri, 25 Oct 2013 10:28:18 -0700 (PDT)
Received: from [79.253.53.26] (helo=[192.168.71.44]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VZlBI-00015E-2q; Fri, 25 Oct 2013 19:28:16 +0200
Message-ID: <526AAA2F.5020705@lodderstedt.net>
Date: Fri, 25 Oct 2013 19:28:15 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Thomas Broyer <t.broyer@gmail.com>
References: <CAEayHENijdeTVu9-OxsnrJEh0JQBrvQo0eKWSjFvXSLqwzVRWg@mail.gmail.com> <63692DF5-4616-4F53-B12E-518397CFEFB3@mitre.org> <CAEayHEMZdOY5G=A5nc_pA14gUcyNpbbeb-pVpo7Cf_yB70Mjjw@mail.gmail.com> <9adcccce-7c48-47b8-b9b8-77a4ce439254@email.android.com> <CAEayHEN5LoX70OObz2jj-7wmH4qqpSQmhiTbe4kwgwpEt4PMkQ@mail.gmail.com>
In-Reply-To: <CAEayHEN5LoX70OObz2jj-7wmH4qqpSQmhiTbe4kwgwpEt4PMkQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------030803060900010302010008"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Comments on draft-richer-oauth-introspection-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2013 17:28:23 -0000
Am 25.10.2013 11:19, schrieb Thomas Broyer: > > > > On Thu, Oct 24, 2013 at 7:50 AM, Torsten Lodderstedt > <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: > > Hi Thomas, > > we generate access tokens per resource server in order to mitigate > this and other risks. You must issue those tokens to different > audiences (resource server id) and the resource servers must > validate if the token is issued for its particular audience. > Otherwise a compromised resource server can still abuse the tokens. > > Talking about burden: You need to compare the effort needed to > obtain different access tokens to the effort needed to implement > proof of possession. > > > On our backlog is also support for "service accounts" (to use Google's > terminology), so clients will likely need to do some crypto-related > work. Asking them to do it for each and every request to sign the > access token might not be that I assume you mean signing the request or at least some request data. Just signing the access token won't help. > much of a problem (if they have the right tools; > google-oauth-java-client for instance does a great job making all of > this easier, and google-api-java-client adds service accounts support > with a just-as-easy-to-use API: > https://code.google.com/p/google-api-java-client/wiki/OAuth2#Service_Accounts; > same for PHP, Python, etc.) > That said, I'm rather new to crypto too, so I might be oversimplifying > things… > I'll check with the project manager and project owner which approach > we'd use (we could also support both…) > > I recommend you to take a look into the OAuth threat model for a > discussion of this threat ( > http://tools.ietf.org/html/rfc6819#section-4.6.4). > > > Thanks for the pointer. I had already read that RFC but somehow forgot > about some details, and failed to check it back for that particular > problem. > > > -- > Thomas Broyer > /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
- [OAUTH-WG] Comments on draft-richer-oauth-introsp… Thomas Broyer
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Eve Maler
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Richer, Justin P.
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Thomas Broyer
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Thomas Broyer
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Torsten Lodderstedt
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Richer, Justin P.
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Thomas Broyer
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Thomas Broyer
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Torsten Lodderstedt
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Thomas Broyer
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Richer, Justin P.
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Thomas Broyer
- Re: [OAUTH-WG] Comments on draft-richer-oauth-int… Justin Richer