Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

[Chuck Mortimore <cmortimore@salesforce.com>]

a4c is connect.    For example here's the sample requests:

draft-hunt-oauth-v2-user-a4c-01, section 2.1:

    GET /authenticate?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
    &state=af0ifjsldkj
    &prompt=login
    Host: server.example.com

OpenID Connect Basic Client Implementer's Guide 1.0 - draft 33, section
2.1.2:

  GET /authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &scope=openid%20profile
    &state=af0ifjsldkj HTTP/1.1
  Host: server.example.com


The primary contribution of a4c in this case seems to be malformed HTTP,
and implying that implementors should deploy a redundant authenticate
endpoint.

Sample Responses:

draft-hunt-oauth-v2-user-a4c-01, section 2.4:


     HTTP/1.1 200 OK
       Content-Type: application/json;charset=UTF-8
       Cache-Control: no-store
       Pragma: no-cache
       {
         "access_token":"2YotnFZFEjr1zCsicMWpAA",
         "token_type":"example",
         "expires_in":3600,
         "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
         "id_token":"eyJhbGciOiJub25lIn0.
  eyAic3ViIjoiNWRlZGNjOGItNzM1Yy00MDVmLWUwMjlmIiwicHJvZmlsZSI6Imh0
  dHBzOi8vZXhhbXBsZS5jb20vVXNlcnMvNWRlZGNjOGItNzM1Yy00MDVmLWUwMjlm
  IiwiYXV0aF90aW1lIjoiMTM2Nzk1NjA5NiIsImV4cCI6IjEzNjgwNDI0OTYiLCJh
  bHYiOiIyIiwiaWF0IjoiMTM2Nzk1NjA5OCIsImlzcyI6Imh0dHBzOi8vc2VydmVy
  LmV4YW1wbGUuY29tIiwiYXVkIjoiczZCaGRSa3F0MyIsImV4YW1wbGVfc2Vzc2lv
  bl9wYXJhbWV0ZXIiOiJleGFtcGxlX3ZhbHVlIn0=."
       }



OpenID Connect Basic Client Implementer's Guide 1.0 - draft 33, section
2.1.6.2:


   HTTP/1.1 200 OK
   Content-Type: application/json
   Cache-Control: no-store
   Pragma: no-cache
   {
    "access_token":"SlAV32hkKG",
    "token_type":"Bearer",
    "expires_in":3600,
    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
    "id_token":"eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso"
   }



a4c seems to toss in a little confusion with an arbitrary example token
type.

We're still dealing with ws-federation passive profile in saml dominated
world.  The oauth working group shouldn't repeat that sin.

-cmort


On Wed, May 14, 2014 at 2:40 PM, Anthony Nadalin <tonynad@microsoft.com>wrote:

>  There are folks that are not implementing connect for various reasons
> (i.e. security reasons, complexity reasons, etc.). thus this is compatible
> with connect if folks want to move on to connect,  we surely don’t use
> connect everwhere as it’s over kill where we only need a the functionality
> of a4c.
>
>
>
> *From:* Chuck Mortimore [mailto:cmortimore@salesforce.com]
> *Sent:* Wednesday, May 14, 2014 9:39 AM
> *To:* Anthony Nadalin
> *Cc:* Phil Hunt; Brian Campbell; oauth@ietf.org
>
> *Subject:* Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
>
>
>
> Can you point to one publicly available or publicly documented
> implementation of a4c?    I've never seen one.
>
>
>
> I will say the a4c spec is almost 100% overlapped with OpenID Connect.
> Some minor variations in claim names, but it adds 0 incremental value over
> what we have in Connect.
>
>
>
> Connect is being successfully deployed at large scale.  It would be
> irresponsible for this working group to confuse developers and the industry
> with duplicate work, especially given this feels more like an argument over
> signing IPR agreements.
>
>
>
> -cmort
>
>
>
> On Wed, May 14, 2014 at 8:47 AM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
>  I agree with Phil on this one, there are implementations of this already
> and much interest
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Phil Hunt
> *Sent:* Wednesday, May 14, 2014 8:32 AM
> *To:* Brian Campbell
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth Milestone Update and Rechartering
>
>
>
> On the contrary. I and others are interested.
>
>
>
> We are waiting for the charter to pick up the work.
>
>
>
> Regardless there will be a new draft shortly.
>
>
> Phil
>
>
> On May 14, 2014, at 5:24, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>  I would object to 'OAuth Authentication' being picked up by the WG as a
> work item. The starting point draft has expired and it hasn't really been
> discusses since Berlin nearly a year ago.  As I recall, there was only very
> limited interest in it even then. I also don't believe it fits well with
> the WG charter.
>
> I would suggest the WG consider picking up 'OAuth Symmetric Proof of
> Possession for Code Extension' for which there is an excellent starting
> point of http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03 - it's a
> relativity simple security enhancement which addresses problems currently
> being encountered in deployments of native clients.
>
>
>
> On Thu, May 8, 2014 at 3:04 PM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
> Hi all,
>
> you might have seen that we pushed the assertion documents and the JWT
> documents to the IESG today. We have also updated the milestones on the
> OAuth WG page.
>
> This means that we can plan to pick up new work in the group.
> We have sent a request to Kathleen to change the milestone for the OAuth
> security mechanisms to use the proof-of-possession terminology.
>
> We also expect an updated version of the dynamic client registration
> spec incorporating last call feedback within about 2 weeks.
>
> We would like you to think about adding the following milestones to the
> charter as part of the re-chartering effort:
>
> -----
>
> Nov 2014 Submit 'Token introspection' to the IESG for consideration as a
> Proposed Standard
> Starting point: <draft-richer-oauth-introspection-04>
>
> Jan 2015 Submit 'OAuth Authentication' to the IESG for consideration as
> a Proposed Standard
> Starting point: <draft-hunt-oauth-v2-user-a4c-01>
>
> Jan 2015 Submit 'Token Exchange' to the IESG for consideration as a
> Proposed Standard
> Starting point: <draft-jones-oauth-token-exchange-00>
>
> -----
>
> We also updated the charter text to reflect the current situation. Here
> is the proposed text:
>
> -----
>
> Charter for Working Group
>
>
> The Web Authorization (OAuth) protocol allows a user to grant a
> third-party Web site or application access to the user's protected
> resources, without necessarily revealing their long-term credentials,
> or even their identity. For example, a photo-sharing site that
> supports OAuth could allow its users to use a third-party printing Web
> site to print their private pictures, without allowing the printing
> site to gain full control of the user's account and without having the
> user share his or her photo-sharing sites' long-term credential with
> the printing site.
>
> The OAuth 2.0 protocol suite encompasses
>
> * a protocol for obtaining access tokens from an authorization
> server with the resource owner's consent,
> * protocols for presenting these access tokens to resource server
> for access to a protected resource,
> * guidance for securely using OAuth 2.0,
> * the ability to revoke access tokens,
> * standardized format for security tokens encoded in a JSON format
>   (JSON Web Token, JWT),
> * ways of using assertions with OAuth, and
> * a dynamic client registration protocol.
>
> The working group also developed security schemes for presenting
> authorization tokens to access a protected resource. This led to the
> publication of the bearer token, as well as work that remains to be
> completed on proof-of-possession and token exchange.
>
> The ongoing standardization effort within the OAuth working group will
> focus on enhancing interoperability and functionality of OAuth
> deployments, such as a standard for a token introspection service and
> standards for additional security of OAuth requests.
>
> -----
>
> Feedback appreciated.
>
> Ciao
> Hannes & Derek
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> --
>
> [image: Ping Identity logo] <https://www.pingidentity.com/>
>
> *Brian Campbell*
> Portfolio Architect
>
> *@*
>
> bcampbell@pingidentity.com
>
> [image: phone]
>
> +1 720.317.2061
>
> Connect with us…
>
> [image: twitter logo] <https://twitter.com/pingidentity>[image: youtube
> logo] <https://www.youtube.com/user/PingIdentityTV>[image: LinkedIn logo]<https://www.linkedin.com/company/21870>[image:
> Facebook logo] <https://www.facebook.com/pingidentitypage>[image: Google+
> logo] <https://plus.google.com/u/0/114266977739397708540>[image:
> slideshare logo] <http://www.slideshare.net/PingIdentity>[image:
> flipboard logo] <http://flip.it/vjBF7>[image: rss feed icon]<https://www.pingidentity.com/blogs/>
>
> [image: Register for Cloud Identity Summit 2014 | Modern Identity
> Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>
>
>
>
>  _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>