IETF Logo Mail Archive

Re: [OAUTH-WG] Partially standardized format for access tokens?

Andrew Arnott <andrewarnott@gmail.com> Mon, 07 June 2010 17:19 UTC

Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F4363A6E38 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:19:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.298
X-Spam-Level:
X-Spam-Status: No, score=-1.298 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J0yHE7PK32zH for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:19:30 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 87B9A28C33A for <oauth@ietf.org>; Mon, 7 Jun 2010 08:43:10 -0700 (PDT)
Received: by gwj21 with SMTP id 21so705007gwj.31 for <oauth@ietf.org>; Mon, 07 Jun 2010 08:43:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type; bh=aHtOf7vAPrwC0aIF9DenTIr9rcz5Qw7yVYHtB08lPHo=; b=HaQIsQrydNctw3r6z2fr8LNQ/ak0Z2Jvk/i37AgCrjfpqj25b8tmldLryJQ3Bx3zDl M6ROTn5/9iPI0L8DohZNCmflAvrVlvmzN6TkcdP7ogqmjmtOkX4i7G1hljaIEpyoBxi/ FRqCGd6Vr4x6cRpTU+wzea55VClb/0Xy+wnF8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=l1bl2pZYYedji6jKF8nR1i44GaKhYTWbu1HxlK+iJ8mO06L1jLj61wgoRnByoQGBsK 6wJxf6qL8OGQb/+veQeVFIoJGXwxYxWGe7wXhMAZFdlWKVE0iHe+KSiFXI1wwhral2Fm qjxRg5SdqXJI82btVP+i+cLkhqklQcV/1SsKg=
Received: by 10.150.165.3 with SMTP id n3mr13974733ybe.47.1275925387121; Mon, 07 Jun 2010 08:43:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.26.19 with HTTP; Mon, 7 Jun 2010 08:42:42 -0700 (PDT)
In-Reply-To: <AANLkTin8PgNRA43pP-sTASCUAj1nBuYNd22z18NyNjRB@mail.gmail.com>
References: <AANLkTinQTV9JJPiftquRbvdqAOHxUXk7QQKCMrmQ4LLK@mail.gmail.com> <B549E6C4-A24D-4032-8A26-89ED58EBAA34@facebook.com> <4C090B6C.9030707@aol.com> <B6D1E6FF-D65F-4FD6-B148-C17550421FC9@facebook.com> <AANLkTilj0xG6SjHrzkd9Ca-N67J7IlsTNAOkyFdjQ62I@mail.gmail.com> <ED86A2AA-56D5-4DC6-B896-48A850EED3B2@facebook.com> <4C0930B2.80802@aol.com> <AANLkTimupEDpBUjg4iwwhPQ41ZKcryMcpVjJumXNIjP0@mail.gmail.com> <39D25154-9A0E-4357-B5D0-439AFBFC3DE7@jkemp.net> <AANLkTimiGydsTcCr7ntktnk-lJLcZQnKE_uTK7dgYvQ4@mail.gmail.com> <BB9D3011-8176-4EB3-BAED-F077986A48F9@facebook.com> <7BB45F28-C209-4014-B9F5-FBACADCFF09E@gmail.com> <AANLkTin8PgNRA43pP-sTASCUAj1nBuYNd22z18NyNjRB@mail.gmail.com>
From: Andrew Arnott <andrewarnott@gmail.com>
Date: Mon, 07 Jun 2010 08:42:42 -0700
Message-ID: <AANLkTinPYc7gF_Ny9VAnH0RTMcrCmoCJG9due4lT6nWS@mail.gmail.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000e0cd5637e7b9f6c04887287ca"
Subject: Re: [OAUTH-WG] Partially standardized format for access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 17:19:32 -0000

(resending to DL due to apparent DL failure over the weekend... I know Dick
and Luke already received my email because they were individual recipients
as well... I don't know if the DL received their replies or not)...

Great discussion, all.  I am also for an optional parameter that's part of
the main spec, and defining possible structures for the access token in
separate specs.

But *token_format* is not the idea I think.  It's more like *token_origin.
*The scenario I had in mind was that a RS actually accepts access tokens
from two auth servers, both tokens are in the *same* format, but the RS
needs to know which public keys to apply while verifying signatures and
decrypting the token in order to complete it successfully.  Now, an AS
identifier *could* be encoded directly into the access token to help the RS
know, which is fine if everyone was coordinating their design together.  But
if you have two auth servers issues encrypted access tokens in different
formats, it gets *much* harder for the resource server to decide how to
decrypt, verify, and decode the access token.  As the number of auth servers
supported by a RS goes up, the trial-and-error approach gets progressively
worse.

The only way I can see to avoid this is for an OAuth 2.0 specified standard
to exist so that all auth servers provide a way for RS to know "ok, this
access token came from *x*, so I'll decode it this way..."

So to recap, *knowing just the format is insufficient, *since that doesn't
tell you the public keys to use.  Including the public keys in the token
itself will significantly increase the size of the token, and assumes again
that the RS knows how to pull it out in advance of decoding it.
Chicken-and-egg problem.


--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Fri, Jun 4, 2010 at 6:58 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

>
> On 2010-06-04, at 6:39 PM, Luke Shepard wrote:
>
> > I don't see how the extra parameter is required to support multiple auth
> servers for a resource.
>
> it is needed if there are multiple token types
>
> >
> > Responses to Dick and Torsten:
> >
> > On Jun 4, 2010, at 11:33 AM, Dick Hardt wrote:
> >> if we have the parameter in the spec, then clients know to pass it along
> if they see it.
> >
> >
> > My main objection here is that the extra param requires more code on the
> client. Even if it's an optional param, the client needs to worry about
> multiple parameters, and that's annoying.
> >
> > For example, here's the PHP code needed to make a resource request today
> (at the end of the web server flow):
> >
> >  $access_token = oauth_get_access_token($_GET['code']);
> >  $resource = file_get_contents('
> https://example.com/resource?oauth_token=' . $access_token);
> >
> > With this proposal, the client now needs to keep track of two parameters
> and pass them both:
> >
> >  list($access_token, $format) = oauth_get_access_token($_GET['code']);
> >  $resource = file_get_contents('
> https://example.com/resource?oauth_token=' . $access_token . '&format=' .
> $format);
> >
> > Why?
>
> The client would only need to do that if the AS will issue the parameter. I
> would expect that libraries would deal with the two parameters. Moving an
> extra one around does not seem to be hard.
>
>
> >
> > On Jun 4, 2010, at 2:31 PM, Torsten Lodderstedt wrote:
> >> there is another point: such a parameter could be used to let the
> authorization server indicate the format of the access token to the resource
> server. This will help deployments with more than one token format in use.
> For example, we use SAML and another proprietary format. Without such a
> parameter, the resource server has to somehow (magically) find out the
> format of the incomming token.
> >
> > It's not "magically" - the server just decodes the token and extracts any
> useful information it's expecting. If it doesn't match the format it
> expects, then it throws it away. Tokens will undoubtedly encode all sorts of
> useful stuff that resource servers know how to decode - like format,
> expiration, scope, whatever. The point is that the structure is undefined
> *to the client*.
>
> what if there are multiple token formats? that is were the magic comes in.
> Detecting format can be tricky.
>
> >
> > For example, if the format is just encoded in the token, like this:
> >
> >   format=ubertoken&token=abcdefg
> >
> > The protected resource request is then:
> >
> >
> https://example.com/resource?oauth_token=format%3Dubertoken%26token%3Dabcdefg
> >
> > and there's no extra code required on the client. Why is this not
> sufficient?
>
> one token could be SAML, another JSON in one format, another in URL encoded
> name/value pairs.  The PR is having to detect both syntax and semantics.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email