Re: [OAUTH-WG] Auth Server / Resource Server Coordination
Ofer Nave <odigity@gmail.com> Tue, 13 October 2015 13:40 UTC
Return-Path: <odigity@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02F351B3D5E for <oauth@ietfa.amsl.com>; Tue, 13 Oct 2015 06:40:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pT8lODTomXaH for <oauth@ietfa.amsl.com>; Tue, 13 Oct 2015 06:40:27 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09BC51B3D5C for <oauth@ietf.org>; Tue, 13 Oct 2015 06:40:27 -0700 (PDT)
Received: by wicgb1 with SMTP id gb1so89957732wic.1 for <oauth@ietf.org>; Tue, 13 Oct 2015 06:40:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Xwy3FBJQKyw5IR48Pc03RLJGB+jRivEI59nuUMZXXzA=; b=dB9OV8jwq0NoVSdqCcAhN6V8NQ7+7XeTvDX61JHOEXCXfpxf6ZmudGBOnqYSIQqhwq UUCEXJduviTlW2Ox+kbFKhIb5PUmJ4/FKtluQUw6vOwM1TOzIDmZNOFnXrYxYjCZdvUa o6iesv5iP+erK50dJ9Br7QRhAL76hPALm+44f2Q03q5DrWxERsEPL3gbJVUD6avta+oQ SbIKJ4VaoPgI8ZwcSjL3Y9Q3EqsefaEqCBm/IgQ0Sx4n1AE3N1cghvto7E58C4acP4sP wT46dGNZTwQdxN9+OHlLqfwa358mQZl0VfgFTVPoVCY6MimYpq4GLKqglEQg3l6JkwgT DjYw==
MIME-Version: 1.0
X-Received: by 10.194.2.243 with SMTP id 19mr35782845wjx.140.1444743608171; Tue, 13 Oct 2015 06:40:08 -0700 (PDT)
Received: by 10.27.125.70 with HTTP; Tue, 13 Oct 2015 06:40:08 -0700 (PDT)
In-Reply-To: <D1B6CDB2-F758-45B6-9819-DEA865A8A0F3@mit.edu>
References: <CABPN19_wYVEvqEU85FDZMYe6k8E8qkL0gGDvFeQMXaaQt+yAbQ@mail.gmail.com> <D1B6CDB2-F758-45B6-9819-DEA865A8A0F3@mit.edu>
Date: Tue, 13 Oct 2015 09:40:08 -0400
Message-ID: <CABPN19_Dmb=oOdMpQ8ouXajX2K-uKTKieEmF_qAvEH9hcqq-ww@mail.gmail.com>
From: Ofer Nave <odigity@gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="047d7b3a86bc8e8c450521fc959a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/U96oYWuiV_p9dgNbZX45MlxUg20>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Server / Resource Server Coordination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 13:40:30 -0000
> You’re right that these things aren’t defined in OAuth core itself, but instead they’re defined in companion specs. Awesome! That's what I was hoping. FYI - Up till now, I had only encountered the following relevant specs: https://tools.ietf.org/html/rfc6749 — The OAuth 2.0 Authorization Framework https://tools.ietf.org/html/rfc6750 — The OAuth 2.0 Authorization Framework: Bearer Token Usage https://tools.ietf.org/html/rfc6819 — OAuth 2.0 Threat Model and Security Considerations https://tools.ietf.org/html/rfc7009 — OAuth 2.0 Token Revocation http://openid.net/specs/openid-connect-core-1_0.html http://openid.net/specs/openid-connect-registration-1_0.html http://openid.net/specs/openid-connect-discovery-1_0.html https://tools.ietf.org/html/rfc7515 — JSON Web Signature (JWS) https://tools.ietf.org/html/rfc7516 — JSON Web Encryption (JWE) https://tools.ietf.org/html/rfc7519 — JSON Web Token (JWT) https://tools.ietf.org/html/rfc7523 — JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants https://tools.ietf.org/html/rfc7033 — WebFinger https://tools.ietf.org/html/rfc2617 — HTTP Authentication: Basic and Digest Access Authentication I'll add the two you mentioned to the list. Any more useful specs I'm missing? :) -ofer On Tue, Oct 13, 2015 at 4:36 AM, Justin Richer <jricher@mit.edu> wrote: > I think what you’re talking about is reasonable, but I also think that you > don’t need to invent anything. You’re right that these things aren’t > defined in OAuth core itself, but instead they’re defined in companion > specs. Most notably you have: > > > - JWT (RFC7519): a structured token based on JSON and JOSE that lets you > carry information inside the token itself. This can be signed and/or > encrypted. The RS needs to understand the token format, but the client can > still be oblivious to it and still function just fine. > https://tools.ietf.org/html/rfc7519 > - Introspection (soon to be RFC7662, it’s in the final stage of editing > as we speak): a simple protocol that allows an RS to query the AS with a > token to see if it’s any good and what it’s good for. This returns a JSON > document describing the token. > https://tools.ietf.org/html/draft-ietf-oauth-introspection > - UMA’s resource set registration (from Kantara, version 1.0.1 in final > review right now): This is part of the User Managed Access (UMA) protocol > and it lets an RS register a set of resources at the AS. This is very > similar to what you’re describing below in terms of registering scopes for > each resource server. > https://docs.kantarainitiative.org/uma/draft-oauth-resource-reg-v1_0_1.html > > > Combining these specs together you’ve got pretty much what you’re after, > as best as I can tell. There are a number of implementations of all of > these, including the project that I help run, MITREid Connect. > https://github.com/mitreid-connect/ Our server issues signed JWTs, > provides token introspection, and lets resource server owners register > their scopes to expose to users through a simple web UI. > > > — Justin > > > > On Oct 13, 2015, at 12:13 AM, Ofer Nave <odigity@gmail.com> wrote: > > > > I know the OAuth 2.0 RFC doesn't specify any standards for coordination > between the Authorization Server and the Resource Server, as it's generally > assumed that both will be owned or operated by the same entity. > > > > However, I'm building an OAuth 2.0 Auth Server, and I'd like to add a > feature to make it easy for other API developers to delegate to me the > responsibility of handling the auth grant process and issuing access tokens. > > > > It seems to me that a simple version of this could be easily done by: > > > > 1) Defining an Access Token format that contains within it everything a > Resource Server will need to validate it and determine the level of access > granted (list of scopes, expiration datetime, HMAC signature using a shared > secret). > > > > 2) Providing a means (basic web UI) for Resource Server owners to > register a set of scopes for their service, along with user-understandable > descriptions of each to display when they arrive at my Authorization > Endpoint. > > > > While I've read the relevant RFCs, I'm new to the OAuth domain, and > would appreciate any feedback. Is this a stupid idea? Is this a good idea, > but redundant with another standard I'm not aware of? > > > > -ofer > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Auth Server / Resource Server Coordina… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Jim Manico
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Justin Richer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Thomas Broyer
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Ofer Nave
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Bill Mills
- Re: [OAUTH-WG] Auth Server / Resource Server Coor… Eve Maler
- [OAUTH-WG] Is authorization challenge always need… Sergey Beryozkin
- Re: [OAUTH-WG] Is authorization challenge always … Justin Richer
- Re: [OAUTH-WG] Is authorization challenge always … Sergey Beryozkin