Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 27 April 2010 05:27 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62C783A6C4D for <oauth@core3.amsl.com>; Mon, 26 Apr 2010 22:27:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.569
X-Spam-Level:
X-Spam-Status: No, score=-1.569 tagged_above=-999 required=5 tests=[AWL=-0.127, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwxSvUbYEV46 for <oauth@core3.amsl.com>; Mon, 26 Apr 2010 22:27:26 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by core3.amsl.com (Postfix) with ESMTP id AAD8A3A6C55 for <oauth@ietf.org>; Mon, 26 Apr 2010 22:24:02 -0700 (PDT)
Received: from p4fff24b2.dip.t-dialin.net ([79.255.36.178] helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O6dGI-000828-QF; Tue, 27 Apr 2010 07:23:10 +0200
Message-ID: <4BD674BC.9080504@lodderstedt.net>
Date: Tue, 27 Apr 2010 07:23:08 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Chuck Mortimore <cmortimore@salesforce.com>
References: <C7FB5107.451C%cmortimore@salesforce.com>
In-Reply-To: <C7FB5107.451C%cmortimore@salesforce.com>
Content-Type: multipart/alternative; boundary="------------010607030109080505050402"
X-Df-Sender: 141509
Cc: "Foiles, Doug" <Doug_Foiles@intuit.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2010 05:27:31 -0000

+1

we need the assertion flow for the same purpose. Can we add a variant of 
the flow to section "End User Credentials Flows"?

regards,
Torsten.

Am 26.04.2010 23:17, schrieb Chuck Mortimore:
> +1.
>
> Our primary use-cases for the assertion flow are for clients acting on 
> behalf of users, and not autonomously.   I believe Eran already has 
> this on his list of feedback when the assertion flow gets edited.
>
> We also have need for a 2 legged Oauth model, and are looking at the 
> client credentials flow for exactly that purpose.
>
> -cmort
>
>
> On 4/25/10 10:34 AM, "Foiles, Doug" <Doug_Foiles@intuit.com> wrote:
>
>     I have a bit of confusion on the Autonomous Client Flows ... and
>     specifically related to Eve's comment below that suggests to me
>     that the autonomous client is NOT ALWAYS the resource owner.
>
>     Can the Autonomous Client Flows support clients that ARE NOT the
>     actual resource owner?  For example for an Assertion Flow where
>     the Subject of the SAML assertion is a user identity (and the
>     resource owner) and not that of the client.
>
>     Is the intent of the Client Credentials Flow to support something
>     like Google's "OAuth for Google Apps domains" 2 Legged OAuth use
>     case? http://code.google.com/apis/accounts/docs/OAuth.html.
>
>     If the Autonomous Client Flows support clients that can act on
>     behalf a resource owner that is not themselves  ... it then seems
>     the resource owner must provide some level of consent outside the
>     OAuth specific flow.
>
>     Thanks.
>
>     Doug
>
>
>     *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>     Behalf Of *Eve Maler
>     *Sent:* Friday, April 23, 2010 7:21 AM
>     *To:* OAuth WG
>     *Subject:* [OAUTH-WG] Autonomous clients and resource owners
>     (editorial)
>
>
>     Regarding the second comment I made below: I realized last night
>     that Sections 3.7.1 and 3.7.2 get this more correct, by saying
>     that an autonomous client represents a "separate resource owner".
>     So Section 2.2 definitely needs a slight change, from:
>
>
>
>     "...and autonomous flows where the client is acting for itself
>     (the client is also the resource owner)."
>
>
>
>     to something like:
>
>
>
>     "...and autonomous flows where the client is acting on behalf of a
>     different resource owner."
>
>
>
>     Thanks,
>
>
>
>                 Eve
>
>
>
>     On 21 Apr 2010, at 4:43 PM, Eve Maler wrote:
>
>
>     Tacking this response to the end of the thread for lack of a
>     better place to do it: The name "username" seems not quite apt in
>     the case of an autonomous client that isn't representing an
>     end-user. Would "identifier" be better? (Actually, it sort of
>     reminds me of SAML's "SessionIndex"...) Or would the parameter be
>     reserved for user-delegation flows?
>
>
>
>     Speaking of autonomous clients, Section 2.2 -- among possibly
>     other places -- states that an autonomous client is also the
>     resource owner, but that's not always the case, is it? The client
>     might be seeking access on behalf of itself. (FWIW, I made roughly
>     this same comment on David's first draft on March 21, and he
>     agreed with my suggested fix at the time.)
>
>
>
>                 Eve
>
>
>
>     Eve Maler
>
>     eve@xmlgrrl.com
>
>     http://www.xmlgrrl.com/blog
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>