Re: [OAUTH-WG] Question about usage of OAuth between servers

Bill Mills <wmills_92105@yahoo.com> Thu, 02 July 2015 16:28 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240541AD09D for <oauth@ietfa.amsl.com>; Thu, 2 Jul 2015 09:28:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.191
X-Spam-Level: *
X-Spam-Status: No, score=1.191 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NalTEU8VSTyj for <oauth@ietfa.amsl.com>; Thu, 2 Jul 2015 09:28:11 -0700 (PDT)
Received: from nm22-vm1.bullet.mail.bf1.yahoo.com (nm22-vm1.bullet.mail.bf1.yahoo.com [98.139.212.127]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C06F81AD04E for <oauth@ietf.org>; Thu, 2 Jul 2015 09:28:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1435854491; bh=2T41oxU66HXwFpnd5Otcjf5qdB94Sr9yqQ317E60950=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=IkxM619+SKsY/kCXCSDcNvUgTCAjb405oFtJqTlsOBbkfAGi/ufybJWY08/UEZ6UcrS6TQ63buuAOWOKS7hGcAj/kadkKeXz4+X0QOEQhd7fXYvXwVAoL1XfavP9P11EowLBs27nxaKAiDt8mocx4t0uLARejlKEMcyQ/kfXoRsyKrROX6sZLpHuq+5H+huF1LAbb+hVX5Cw548fZcTaLCp87ZjTuiQrqiio7MZy1UAJLlMLoCsHJSkgM60ywJILDcIEcSHIbdA/swDZLSxPBp2EqZgP/8Zmps1QTuIZJRaK+ssK5qdKW/Ufjp0U8KJHlYpSjR530s/gCs/8iViKzQ==
Received: from [98.139.215.143] by nm22.bullet.mail.bf1.yahoo.com with NNFMP; 02 Jul 2015 16:28:11 -0000
Received: from [98.139.215.249] by tm14.bullet.mail.bf1.yahoo.com with NNFMP; 02 Jul 2015 16:28:10 -0000
Received: from [127.0.0.1] by omp1062.mail.bf1.yahoo.com with NNFMP; 02 Jul 2015 16:28:09 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 984770.4285.bm@omp1062.mail.bf1.yahoo.com
X-YMail-OSG: dR8TnJsVM1k47_FSLVz4UMtKfeVigU7QFkmjzOM_DFIIl0CQYinWkHE33u.EBKl fYJ_YxtmLnmyr4mo9myXIRkcUCtPJdobWovbfqADTL_TXPlq0U6SJh6BwS81n1ih93KEoRwS0fam F8sKAwzaY3OEVzfu4YApZSyg_ODsqTbKZP7NSYMi5JSBit9vHjGRHq67oMK61apbA3L66_kvG0nZ _6d.z.EF0TbvVpeuNRM0F7ucVnMR6O2noUZQd0us8YG4QvWw0bJ5eoqXNTtxBkzvnW5yhk1u1Z_t UlfWsjEYC0igfjkqCOFmKPbOGhbaLaWcahZos1ztHBGy8.q6P6bPqf2azqJZT98UzCPoQ83d53vP OQ01Wi1fwfzyCuUHxfDCycnc8Ia1tKg34lJMFMk21k51CaHSMeD3Z2tnkVyk8nXEwsPR7vlbKoAY kNc1Yl5_8TDQ4sep_p_vclgSbnK8LGVrx8w7KTXne5Kl.hwdroLfA.JgYKIB3UzuHAd9V0pH3au8 Sq72q31xBx3iIZQ--
Received: by 76.13.27.48; Thu, 02 Jul 2015 16:28:10 +0000
Date: Thu, 2 Jul 2015 16:28:10 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: Lisa Li1 <Lisa_Li1@symantec.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <1314028769.1323699.1435854490299.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <47E83806AE926749BB17D1020685E6901903F0CC5F@APJ1XCHEVSPIN36.SYMC.SYMANTEC.COM>
References: <47E83806AE926749BB17D1020685E6901903F0CC5F@APJ1XCHEVSPIN36.SYMC.SYMANTEC.COM>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_1323698_1696041608.1435854490298"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Tg8xxvEWlh0josvuLahtUtTyvKc>
Subject: Re: [OAUTH-WG] Question about usage of OAuth between servers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2015 16:28:13 -0000

Using Bearer tokens with refresh tokens is a valid use case for server-to-server and has the same nice properties that is does for users, in that it applies a single control point for revoking access.  Using Bearer tokens has very different security properties than OAuth 1.0a and you should carefully consider this.  Look at the proof-of-posession work rather than simple Bearer tokens. 


     On Thursday, July 2, 2015 9:10 AM, Lisa Li1 <Lisa_Li1@symantec.com> wrote:
   

 <!--#yiv0512297667 _filtered #yiv0512297667 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv0512297667 {font-family:SimSun;panose-1:2 1 6 0 3 1 1 1 1 1;} _filtered #yiv0512297667 {font-family:SimSun;panose-1:2 1 6 0 3 1 1 1 1 1;} _filtered #yiv0512297667 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv0512297667 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv0512297667 {panose-1:2 1 6 0 3 1 1 1 1 1;}#yiv0512297667 #yiv0512297667 p.yiv0512297667MsoNormal, #yiv0512297667 li.yiv0512297667MsoNormal, #yiv0512297667 div.yiv0512297667MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}#yiv0512297667 a:link, #yiv0512297667 span.yiv0512297667MsoHyperlink {color:blue;text-decoration:underline;}#yiv0512297667 a:visited, #yiv0512297667 span.yiv0512297667MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv0512297667 p.yiv0512297667MsoAcetate, #yiv0512297667 li.yiv0512297667MsoAcetate, #yiv0512297667 div.yiv0512297667MsoAcetate {margin:0in;margin-bottom:.0001pt;font-size:8.0pt;font-family:"Tahoma", "sans-serif";}#yiv0512297667 span.yiv0512297667EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv0512297667 span.yiv0512297667BalloonTextChar {font-family:"Tahoma", "sans-serif";}#yiv0512297667 .yiv0512297667MsoChpDefault {font-family:"Calibri", "sans-serif";} _filtered #yiv0512297667 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv0512297667 div.yiv0512297667WordSection1 {}-->Hi All  This is Lisa. Our project is adopting OAuth 2 as authentication specification. For the client-server communication, OAuth token works fine. But we have some cases of server to server communication, usually it will be multiple tasks running in parallel or sequence or even in multiple threads. In this case, we are not sure we should reuse the access token grant by end user or create another token? Moreover, if token is expired in 30 min, we are able to do refresh but may meet some issue on the token consistency between each task, thus it might be refreshed again and again…  But with OAuth 1.0, since it will not expired and we don’t have to do refresh, it will work fine.  So for OAuth 2.0, what’s your consideration for server to server communication scenario? Or do you have any suggestion here?  Thanks.    Lisa LiPrincipal Software EngineerSymantec Corporation  Office: (010) 6272 5127  /  Mobile: 189 1057 2219Lisa_Li1@symantec.com      This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.  
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth