IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Server / Resource Server Coordination

Ofer Nave <odigity@gmail.com> Tue, 13 October 2015 13:40 UTC

Return-Path: <odigity@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02F351B3D5E for <oauth@ietfa.amsl.com>; Tue, 13 Oct 2015 06:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pT8lODTomXaH for <oauth@ietfa.amsl.com>; Tue, 13 Oct 2015 06:40:27 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09BC51B3D5C for <oauth@ietf.org>; Tue, 13 Oct 2015 06:40:27 -0700 (PDT)
Received: by wicgb1 with SMTP id gb1so89957732wic.1 for <oauth@ietf.org>; Tue, 13 Oct 2015 06:40:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Xwy3FBJQKyw5IR48Pc03RLJGB+jRivEI59nuUMZXXzA=; b=dB9OV8jwq0NoVSdqCcAhN6V8NQ7+7XeTvDX61JHOEXCXfpxf6ZmudGBOnqYSIQqhwq UUCEXJduviTlW2Ox+kbFKhIb5PUmJ4/FKtluQUw6vOwM1TOzIDmZNOFnXrYxYjCZdvUa o6iesv5iP+erK50dJ9Br7QRhAL76hPALm+44f2Q03q5DrWxERsEPL3gbJVUD6avta+oQ SbIKJ4VaoPgI8ZwcSjL3Y9Q3EqsefaEqCBm/IgQ0Sx4n1AE3N1cghvto7E58C4acP4sP wT46dGNZTwQdxN9+OHlLqfwa358mQZl0VfgFTVPoVCY6MimYpq4GLKqglEQg3l6JkwgT DjYw==
MIME-Version: 1.0
X-Received: by 10.194.2.243 with SMTP id 19mr35782845wjx.140.1444743608171; Tue, 13 Oct 2015 06:40:08 -0700 (PDT)
Received: by 10.27.125.70 with HTTP; Tue, 13 Oct 2015 06:40:08 -0700 (PDT)
In-Reply-To: <D1B6CDB2-F758-45B6-9819-DEA865A8A0F3@mit.edu>
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <D1B6CDB2-F758-45B6-9819-DEA865A8A0F3@mit.edu>
Date: Tue, 13 Oct 2015 09:40:08 -0400
Message-ID: <CABPN19_Dmb=oOdMpQ8ouXajX2K-uKTKieEmF_qAvEH9hcqq-ww@mail.gmail.com>
From: Ofer Nave <odigity@gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="047d7b3a86bc8e8c450521fc959a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/U96oYWuiV_p9dgNbZX45MlxUg20>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Server / Resource Server Coordination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 13:40:30 -0000

> You’re right that these things aren’t defined in OAuth core itself, but
instead they’re defined in companion specs.

Awesome!  That's what I was hoping.

FYI - Up till now, I had only encountered the following relevant specs:

https://tools.ietf.org/html/rfc6749 — The OAuth 2.0 Authorization Framework
https://tools.ietf.org/html/rfc6750 — The OAuth 2.0 Authorization
Framework: Bearer Token Usage
https://tools.ietf.org/html/rfc6819 — OAuth 2.0 Threat Model and Security
Considerations
https://tools.ietf.org/html/rfc7009 — OAuth 2.0 Token Revocation
http://openid.net/specs/openid-connect-core-1_0.html
http://openid.net/specs/openid-connect-registration-1_0.html
http://openid.net/specs/openid-connect-discovery-1_0.html
https://tools.ietf.org/html/rfc7515 — JSON Web Signature (JWS)
https://tools.ietf.org/html/rfc7516 — JSON Web Encryption (JWE)
https://tools.ietf.org/html/rfc7519 — JSON Web Token (JWT)
https://tools.ietf.org/html/rfc7523 — JSON Web Token (JWT) Profile for
OAuth 2.0 Client Authentication and Authorization Grants
https://tools.ietf.org/html/rfc7033 — WebFinger
https://tools.ietf.org/html/rfc2617 — HTTP Authentication: Basic and Digest
Access Authentication

I'll add the two you mentioned to the list.

Any more useful specs I'm missing?  :)

-ofer


On Tue, Oct 13, 2015 at 4:36 AM, Justin Richer <jricher@mit.edu> wrote:

> I think what you’re talking about is reasonable, but I also think that you
> don’t need to invent anything. You’re right that these things aren’t
> defined in OAuth core itself, but instead they’re defined in companion
> specs. Most notably you have:
>
>
>  - JWT (RFC7519): a structured token based on JSON and JOSE that lets you
> carry information inside the token itself. This can be signed and/or
> encrypted. The RS needs to understand the token format, but the client can
> still be oblivious to it and still function just fine.
> https://tools.ietf.org/html/rfc7519
>  - Introspection (soon to be RFC7662, it’s in the final stage of editing
> as we speak): a simple protocol that allows an RS to query the AS with a
> token to see if it’s any good and what it’s good for. This returns a JSON
> document describing the token.
> https://tools.ietf.org/html/draft-ietf-oauth-introspection
>  - UMA’s resource set registration (from Kantara, version 1.0.1 in final
> review right now): This is part of the User Managed Access (UMA) protocol
> and it lets an RS register a set of resources at the AS. This is very
> similar to what you’re describing below in terms of registering scopes for
> each resource server.
> https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html
>
>
> Combining these specs together you’ve got pretty much what you’re after,
> as best as I can tell. There are a number of implementations of all of
> these, including the project that I help run, MITREid Connect.
> https://github.com/mitreid-connect/ Our server issues signed JWTs,
> provides token introspection, and lets resource server owners register
> their scopes to expose to users through a simple web UI.
>
>
>  — Justin
>
>
> > On Oct 13, 2015, at 12:13 AM, Ofer Nave <odigity@gmail.com> wrote:
> >
> > I know the OAuth 2.0 RFC doesn't specify any standards for coordination
> between the Authorization Server and the Resource Server, as it's generally
> assumed that both will be owned or operated by the same entity.
> >
> > However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a
> feature to make it easy for other API developers to delegate to me the
> responsibility of handling the auth grant process and issuing access tokens.
> >
> > It seems to me that a simple version of this could be easily done by:
> >
> > 1) Defining an Access Token format that contains within it everything a
> Resource Server will need to validate it and determine the level of access
> granted (list of scopes, expiration datetime, HMAC signature using a shared
> secret).
> >
> > 2) Providing a means (basic web UI) for Resource Server owners to
> register a set of scopes for their service, along with user-understandable
> descriptions of each to display when they arrive at my Authorization
> Endpoint.
> >
> > While I've read the relevant RFCs, I'm new to the OAuth domain, and
> would appreciate any feedback. Is this a stupid idea?  Is this a good idea,
> but redundant with another standard I'm not aware of?
> >
> > -ofer
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email