Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item

John Bradley <> Fri, 08 August 2014 16:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 033831ABB2C for <>; Fri, 8 Aug 2014 09:56:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z8PHR4trN36A for <>; Fri, 8 Aug 2014 09:56:38 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61FAC1B27E8 for <>; Fri, 8 Aug 2014 09:56:38 -0700 (PDT)
Received: by with SMTP id q107so6253725qgd.40 for <>; Fri, 08 Aug 2014 09:56:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=98LBknlWX4GtFMIVPPxL1OX07/CI7NCMeU0cGqewkM0=; b=UZyBpxqFBb5lAmsdLhtBntv0JL8y2Di4cLi8J1SZoOy0snl495GxXr26W+OKtItVbU f3WlAWjlelQekTJxgfRP+JnrY3r/8HbkXdJ8LOx+ErMeJ5tstupUiigveK2BS6B0t4lp G2ca0P/coT/5VWxmWiSWhxlxocCeG03mHs0kA1aoknWIPc9tpEBsgPVvHzDj/6K+/7NZ Y4iLHRMIZLIBVzesvkMAPjoxXhQGBw4Y81acJshRZfPPERC3mrcGAd+lmyVpSv96cuww +YtDGAWyOdnkWEMxl+QNO4Lu6oBDLM74oPY1pbsrj0jpAV263HlJQVuUG53VLF3kketw kfGA==
X-Gm-Message-State: ALoCoQm+cpLedVmODbKk3KtX9qSejhJxxFAfEqXN858UWEj8hauJex5VrlnULvtu1g0YGM1TuK1C
X-Received: by with SMTP id w3mr39211349qct.23.1407516997407; Fri, 08 Aug 2014 09:56:37 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id 95sm4101646qgg.25.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 08 Aug 2014 09:56:35 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_A8A131F5-FF4E-4604-9713-FEDE82B81B76"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <>
In-Reply-To: <>
Date: Fri, 08 Aug 2014 12:58:26 -0400
Message-Id: <>
References: <> <>
To: Brian Campbell <>
X-Mailer: Apple Mail (2.1878.6)
Cc: "" <>, "" <>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Aug 2014 16:56:43 -0000

Thanks for doing that.

I think that this is clearer and extends Mike's draft to be more specific about input and output token types.

It is going to be hard for people to get their heads around this without at-least having some example use-cases and example token input and outputs.

In following this proposed model would code and refresh tokens be considered valid on_behalf_of tokens?
I am guessing that a JWT or SAML 2 assertion clearly can be.

So if for example I wanted a JWT/id_token to use in the assertion flow at a SaaS I would send.

aud = "an identifyer for the SaaS AS (perhaps the token endpoint or issuer uri)
requested_security_token_type = urn:ietf:params:oauth:token-type:jwt  (perhaps something more specific?)
on_behalf_of = (refresh token?)
on_behalf_of_token_type = urn:ietf:params:oauth:token-type:refresh   (yes I just made that up)

So how might sending an act_as token to the token endpoint as part of the request impact the result.
Do you see the act_as interacting with PoP to limit who can present the resulting token. 
Is act_as simply duplicating  the authentication portion of the current assertion profile?

Not having concrete answers at this point is not a problem, but we do need to think all of this through.
I think this document is also useful input.

John B.

On Aug 8, 2014, at 10:27 AM, Brian Campbell <> wrote:

> I am very much in favor of the WG pursuing the general concept of an OAuth Token Exchange.  However, I don't believe this document, in its current form anyway, is the necessarily the most appropriate starting point as a WG work item. 
> I wrote up an I-D, which I'd ask to be considered as alternative or additional input into the process:
> I don't intend this to be confrontational or "this is better than that" kind of thing. Producing a draft just seemed like the most straightforward way to document some initial thoughts on it. I'm more than open to collaborating on it going forward.
> On Mon, Jul 28, 2014 at 11:33 AM, Hannes Tschofenig <> wrote:
> Hi all,
> during the IETF #90 OAuth WG meeting, there was strong consensus in
> adopting the "OAuth 2.0 Token Exchange"
> (draft-jones-oauth-token-exchange-01.txt) specification as an OAuth WG
> work item.
> We would now like to verify the outcome of this call for adoption on the
> OAuth WG mailing list. Here is the link to the document:
> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
> as to the suitability of adopting this document as a WG work item,
> please send mail to the OAuth WG list indicating your opinion (Yes/No).
> The confirmation call for adoption will last until August 10, 2014.  If
> you have issues/edits/comments on the document, please send these
> comments along to the list in your response to this Call for Adoption.
> Ciao
> Hannes & Derek
> _______________________________________________
> OAuth mailing list
> -- 
> Brian Campbell
> Distinquished Engineer
> @
> 	+1 720.317.2061
> Connect with us…
>        _______________________________________________
> OAuth mailing list