IETF Logo Mail Archive

Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people

Thomas Hardjono <hardjono@MIT.EDU> Thu, 09 September 2010 15:13 UTC

Return-Path: <hardjono@mit.edu>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 442293A6919 for <oauth@core3.amsl.com>; Thu, 9 Sep 2010 08:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.828
X-Spam-Level:
X-Spam-Status: No, score=-3.828 tagged_above=-999 required=5 tests=[AWL=-1.230, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id su9-JxU9gS9k for <oauth@core3.amsl.com>; Thu, 9 Sep 2010 08:12:59 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU [18.7.68.37]) by core3.amsl.com (Postfix) with ESMTP id 85FA53A6868 for <oauth@ietf.org>; Thu, 9 Sep 2010 08:12:58 -0700 (PDT)
X-AuditID: 12074425-b7cccae000005f17-b0-4c88f98b8e5a
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-8.mit.edu (Symantec Brightmail Gateway) with SMTP id DB.C0.24343.B89F88C4; Thu, 9 Sep 2010 11:13:15 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id o89FDOlh020330; Thu, 9 Sep 2010 11:13:25 -0400
Received: from w92exedge3.EXCHANGE.MIT.EDU (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) ) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id o89FDOIH004301; Thu, 9 Sep 2010 11:13:24 -0400
Received: from w92exhub10.exchange.mit.edu (18.7.73.18) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 9 Sep 2010 11:13:12 -0400
Received: from EXPO10.exchange.mit.edu ([18.9.4.15]) by w92exhub10.exchange.mit.edu ([18.7.73.18]) with mapi; Thu, 9 Sep 2010 11:13:23 -0400
From: Thomas Hardjono <hardjono@MIT.EDU>
To: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>, "Faynberg, Igor (Igor)" <igor.faynberg@alcatel-lucent.com>
Date: Thu, 09 Sep 2010 11:13:21 -0400
Thread-Topic: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
Thread-Index: ActOzGFQvhoQfZOXQCaYovoauidPGQAAxeYgAFh1YXA=
Message-ID: <DADD7EAD88AB484D8CCC328D40214CCD01C2BC5FC8@EXPO10.exchange.mit.edu>
References: <DADD7EAD88AB484D8CCC328D40214CCD01C253AA42@EXPO10.exchange.mit.edu> <4C86A248.20501@alcatel-lucent.com> <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
In-Reply-To: <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2010 15:13:18 -0000

Thanks Igor and Zachary,

Are there any plans to renew this expired draft?  Also, is there a limitation to the number of "swaps" that can be supported?

Thanks.

/thomas/

__________________________________________

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Zeltsan, Zachary (Zachary)
> Sent: Tuesday, September 07, 2010 5:15 PM
> To: Faynberg, Igor (Igor); Thomas Hardjono
> Cc: oauth
> Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile
> comments/questions from the SAML people
> 
> Igor,
> 
> The intention of the draft draft-vrancken-oauth-redelegation was to
> specify a mechanism for doing exactly what Thomas has described:
> > ... User#1/Client#1 asks for
> > an access token (to a given resource) with the intention of later
> > handing over the access-token to a different User#2/Client#2
> The mechanism is design to support also the situation where
> > User#2/Client#2 asks the Auth Server to "swap" (re-issue) this token
> > for a different client_id (User#3/Client#3)
> 
> The difference is that the mechanism of the draft-vrancken-oauth-
> redelegation relies on the "temporary credentials" and "token
> credentials", which were used in OAuth 1.0, and not on the access
> tokens.
> 
> Zachary
> -----Original Message-----
> From: Igor Faynberg [mailto:igor.faynberg@alcatel-lucent.com]
> Sent: Tuesday, September 07, 2010 4:36 PM
> To: Thomas Hardjono; Zeltsan, Zachary (Zachary)
> Cc: Brian Campbell; oauth
> Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile
> comments/questions from the SAML people
> 
> Thomas,
> 
> It looks to me like the intention in this use case is similar to that
> of the "multilegged OAuth" (later renamed to the politically-correct
> "recursive delegation"). This use case has been published in Bart's and
> Zachary's draft. which has expired now. This case has moved into the
> overall use case compilation document.
> 
> Zachary, maybe you could shed some light here?
> 
> Igor
> 
> Thomas Hardjono wrote:
> > __________________________________________
> >
> >
> >> -...
> >
> > What I meant to say is that User#1/Client#1 asks for an access token
> > (to a given resource) with the intention of later handing over the
> > access-token to a different User#2/Client#2.
> >
> > Ideally, this model could be extensible where
> > User#2/Client#2 asks the Auth Server to "swap" (re-issue) this token
> > for a different client_id (User#3/Client#3).
> >
> > However, this bring us into space of role based access control and
> > permissions, which would somewhat complicate the Oauth 2.0
> > authorization model :)
> >
> > /thomas/
> >
> >
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email