IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Server / Resource Server Coordination

Ofer Nave <odigity@gmail.com> Tue, 13 October 2015 04:42 UTC

Return-Path: <odigity@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D0561B3764 for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2015 21:42:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggUHmYJHN3dL for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2015 21:42:29 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01721B3763 for <oauth@ietf.org>; Mon, 12 Oct 2015 21:42:28 -0700 (PDT)
Received: by wicge5 with SMTP id ge5so40355427wic.0 for <oauth@ietf.org>; Mon, 12 Oct 2015 21:42:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cQS3NcKo+sNH51VjFR+IURe1xSkGYf8lykwKb6+M9iw=; b=P8OpBNO0zqRReKGAsG2OzDVz+1zzVCXxs7Lh/yMOSZrYQkxoNNq+Rn9UGlMRjOph5v TylwPNOB80qb3y8T/08YM9cgez8EgdP0YISSMEjJnPxgAxXtz1nmphPbRsylrjCe8u9y ZOByxSls39r+HKsENt66fLk3MzVfEL+2HeZlP5C4TN2awQNCfrd2pNy8mn5Rk2qUWTNp HySWx516W+6PFqd2Ngj7c5hcSJR/TE2U2GuKJFG6oKjvatM7nEoH9y+0uUuLNB09aJve t4O/iLTi3pipM554BpWlpYGht1z+OusxgJZtCdD68hlIrlkJH96pGg6yyKPim7SiniKk CLQw==
MIME-Version: 1.0
X-Received: by 10.180.184.138 with SMTP id eu10mr19260707wic.25.1444711347556; Mon, 12 Oct 2015 21:42:27 -0700 (PDT)
Received: by 10.27.125.70 with HTTP; Mon, 12 Oct 2015 21:42:27 -0700 (PDT)
In-Reply-To: <751A2989-38CD-4360-A691-980AA8DE58A8@manicode.com>
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <751A2989-38CD-4360-A691-980AA8DE58A8@manicode.com>
Date: Tue, 13 Oct 2015 00:42:27 -0400
Message-ID: <CABPN199x6ZQYEVPgMCwawyok-K0HQEx0h6nqvmPtFW1z=D64qQ@mail.gmail.com>
From: Ofer Nave <odigity@gmail.com>
To: Jim Manico <jim@manicode.com>
Content-Type: multipart/alternative; boundary="001a11c33608ac99b40521f5125b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Pw9C3WaPUTh4jlQee-osWpApwqI>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Auth Server / Resource Server Coordination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 04:42:31 -0000

> Isn't the whole idea of the auth server/resource server separation in
OAuth 2.0 so that one auth server can govern multiple resource servers?

The spec certainly allows for that, but it stops short of:

1) Defining an Access Token structure that both parties can understand.
2) Any standards whatsoever about any other communication or coordination
between the AS and RS.

It's outside the scope of the spec, and so it falls to the implementer to
make those decisions.  This is my first attempt to do so.

The design I propose is very simple and yet seems to accomplish the goal
sufficiently.  The way OAuth2 is designed, authorization comes down to a
simple set of scope booleans, and that's very easy to model and delegate.
There's really no reason everyone should have to be reinventing this.  The
protocol for AS/RS coordination almost seems to write itself.  I'm
surprised an extension doesn't exist yet for this -- which is why I'm
asking for a sanity check, just in case I've missed something.

-ofer

On Tue, Oct 13, 2015 at 12:36 AM, Jim Manico <jim@manicode.com> wrote:

> This seems like a reasonable approach. Isn't the whole idea of the auth
> server/resource server separation in OAuth 2.0 so that one auth server can
> govern multiple resource servers?
>
> --
> Jim Manico
> @Manicode
>
> > On Oct 13, 2015, at 6:13 AM, Ofer Nave <odigity@gmail.com> wrote:
> >
> > I know the OAuth 2.0 RFC doesn't specify any standards for coordination
> between the Authorization Server and the Resource Server, as it's generally
> assumed that both will be owned or operated by the same entity.
> >
> > However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a
> feature to make it easy for other API developers to delegate to me the
> responsibility of handling the auth grant process and issuing access tokens.
> >
> > It seems to me that a simple version of this could be easily done by:
> >
> > 1) Defining an Access Token format that contains within it everything a
> Resource Server will need to validate it and determine the level of access
> granted (list of scopes, expiration datetime, HMAC signature using a shared
> secret).
> >
> > 2) Providing a means (basic web UI) for Resource Server owners to
> register a set of scopes for their service, along with user-understandable
> descriptions of each to display when they arrive at my Authorization
> Endpoint.
> >
> > While I've read the relevant RFCs, I'm new to the OAuth domain, and
> would appreciate any feedback. Is this a stupid idea?  Is this a good idea,
> but redundant with another standard I'm not aware of?
> >
> > -ofer
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email