Re: [OAUTH-WG] Auth Server / Resource Server Coordination
Ofer Nave <odigity@gmail.com> Tue, 13 October 2015 04:42 UTC
Return-Path: <odigity@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D0561B3764 for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2015 21:42:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggUHmYJHN3dL for <oauth@ietfa.amsl.com>; Mon, 12 Oct 2015 21:42:29 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F01721B3763 for <oauth@ietf.org>; Mon, 12 Oct 2015 21:42:28 -0700 (PDT)
Received: by wicge5 with SMTP id ge5so40355427wic.0 for <oauth@ietf.org>; Mon, 12 Oct 2015 21:42:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cQS3NcKo+sNH51VjFR+IURe1xSkGYf8lykwKb6+M9iw=; b=P8OpBNO0zqRReKGAsG2OzDVz+1zzVCXxs7Lh/yMOSZrYQkxoNNq+Rn9UGlMRjOph5v TylwPNOB80qb3y8T/08YM9cgez8EgdP0YISSMEjJnPxgAxXtz1nmphPbRsylrjCe8u9y ZOByxSls39r+HKsENt66fLk3MzVfEL+2HeZlP5C4TN2awQNCfrd2pNy8mn5Rk2qUWTNp HySWx516W+6PFqd2Ngj7c5hcSJR/TE2U2GuKJFG6oKjvatM7nEoH9y+0uUuLNB09aJve t4O/iLTi3pipM554BpWlpYGht1z+OusxgJZtCdD68hlIrlkJH96pGg6yyKPim7SiniKk CLQw==
MIME-Version: 1.0
X-Received: by 10.180.184.138 with SMTP id eu10mr19260707wic.25.1444711347556; Mon, 12 Oct 2015 21:42:27 -0700 (PDT)
Received: by 10.27.125.70 with HTTP; Mon, 12 Oct 2015 21:42:27 -0700 (PDT)
In-Reply-To: <751A2989-38CD-4360-A691-980AA8DE58A8@manicode.com>
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <751A2989-38CD-4360-A691-980AA8DE58A8@manicode.com>
Date: Tue, 13 Oct 2015 00:42:27 -0400
Message-ID: <CABPN199x6ZQYEVPgMCwawyok-K0HQEx0h6nqvmPtFW1z=D64qQ@mail.gmail.com>
From: Ofer Nave <odigity@gmail.com>
To: Jim Manico <jim@manicode.com>
Content-Type: multipart/alternative; boundary="001a11c33608ac99b40521f5125b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Pw9C3WaPUTh4jlQee-osWpApwqI>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Auth Server / Resource Server Coordination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 04:42:31 -0000
> Isn't the whole idea of the auth server/resource server separation in OAuth 2.0 so that one auth server can govern multiple resource servers? The spec certainly allows for that, but it stops short of: 1) Defining an Access Token structure that both parties can understand. 2) Any standards whatsoever about any other communication or coordination between the AS and RS. It's outside the scope of the spec, and so it falls to the implementer to make those decisions. This is my first attempt to do so. The design I propose is very simple and yet seems to accomplish the goal sufficiently. The way OAuth2 is designed, authorization comes down to a simple set of scope booleans, and that's very easy to model and delegate. There's really no reason everyone should have to be reinventing this. The protocol for AS/RS coordination almost seems to write itself. I'm surprised an extension doesn't exist yet for this -- which is why I'm asking for a sanity check, just in case I've missed something. -ofer On Tue, Oct 13, 2015 at 12:36 AM, Jim Manico <jim@manicode.com> wrote: > This seems like a reasonable approach. Isn't the whole idea of the auth > server/resource server separation in OAuth 2.0 so that one auth server can > govern multiple resource servers? > > -- > Jim Manico > @Manicode > > > On Oct 13, 2015, at 6:13 AM, Ofer Nave <odigity@gmail.com> wrote: > > > > I know the OAuth 2.0 RFC doesn't specify any standards for coordination > between the Authorization Server and the Resource Server, as it's generally > assumed that both will be owned or operated by the same entity. > > > > However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a > feature to make it easy for other API developers to delegate to me the > responsibility of handling the auth grant process and issuing access tokens. > > > > It seems to me that a simple version of this could be easily done by: > > > > 1) Defining an Access Token format that contains within it everything a > Resource Server will need to validate it and determine the level of access > granted (list of scopes, expiration datetime, HMAC signature using a shared > secret). > > > > 2) Providing a means (basic web UI) for Resource Server owners to > register a set of scopes for their service, along with user-understandable > descriptions of each to display when they arrive at my Authorization > Endpoint. > > > > While I've read the relevant RFCs, I'm new to the OAuth domain, and > would appreciate any feedback. Is this a stupid idea? Is this a good idea, > but redundant with another standard I'm not aware of? > > > > -ofer > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Auth Server / Resource Server Coordina… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Jim Manico
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Justin Richer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Thomas Broyer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Eve Maler
- [OAUTH-WG] Is authorization challenge always need… Sergey Beryozkin
- Re: [OAUTH-WG] Is authorization challenge always … Justin Richer
- Re: [OAUTH-WG] Is authorization challenge always … Sergey Beryozkin