Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Prateek Mishra <prateek.mishra@oracle.com> Tue, 30 July 2013 22:32 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E13121E80B4 for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 15:32:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.998
X-Spam-Level:
X-Spam-Status: No, score=-5.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYka8+3qZ48l for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 15:32:26 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 7943B21E80C5 for <oauth@ietf.org>; Tue, 30 Jul 2013 15:32:26 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r6UMWNuH013817 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 30 Jul 2013 22:32:24 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r6UMWM12004894 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 30 Jul 2013 22:32:23 GMT
Received: from abhmt107.oracle.com (abhmt107.oracle.com [141.146.116.59]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r6UMWM6f006450; Tue, 30 Jul 2013 22:32:22 GMT
Received: from [172.16.249.158] (/208.99.255.3) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 30 Jul 2013 15:32:22 -0700
Message-ID: <51F83EF7.6040201@oracle.com>
Date: Tue, 30 Jul 2013 18:32:23 -0400
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Nat Sakimura <sakimura@gmail.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com>
In-Reply-To: <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070103090002040708070901"
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 22:32:31 -0000
Nat - your blog posting is helpful to those of us who are looking for a minimal extension of OAuth with an authenticator. Many implementors are seeking a modest extension of OAuth, not an entire new protocol stack. I believe that is the point of Phil Hunt's proposal to the OAuth committee. I do have some questions for about the statements made in the blog - A) Can you direct me to a single OpenID Connect draft specification document where steps 1 and 2 are described? B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect implementation? Are there no other MTI protocol exchanges in OpenID Connect? Thanks, prateek > I have written a short blog post titled "Write an OpenID Connect > server in three simple steps > <http://nat.sakimura.org/2013/07/28/write-openid-connect-server-in-three-simple-steps/>". > > > Really, there is not much you need to on top of OAuth 2.0. > > It puzzles me why you need to create a draft with only minor variances > in parameter names. > > e.g., > session instead of id_token > lat instead of iat > alv instead of acr > etc. > > > If you change those parameter names, you will have a conformant > profile of OpenID Connect. > > Nat > > > 2013/7/31 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> > > Connect dosen't require a userinfo endpoint. It is required for > interoperability if you are building an open IdP. For an > enterprise type deployment discovery, registration, userifo are > all optional. > > The server is required to pass the nonce which is equivalent to a > request ID through to the JWT if the client sends it in the request. > > Justin is correct. > > John B. > > On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com > <mailto:phil.hunt@oracle.com>> wrote: > >> Forgot reply all. >> >> Phil >> >> Begin forwarded message: >> >>> *From:* Phil Hunt <phil.hunt@oracle.com >>> <mailto:phil.hunt@oracle.com>> >>> *Date:* 30 July, 2013 17:25:46 GMT+02:00 >>> *To:* "Richer, Justin P." <jricher@mitre.org >>> <mailto:jricher@mitre.org>> >>> *Subject:* *Re: [OAUTH-WG] New Version Notification for >>> draft-hunt-oauth-v2-user-a4c-00.txt* >>> >>> The whole point is authn only. Many do not want or need the >>> userinfo endpoint. >>> >>> Phil >>> >>> On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org >>> <mailto:jricher@mitre.org>> wrote: >>> >>>> What do you mean? You absolutely can implement a compliant OIDC >>>> server nearly as simply as this. The things that you're missing >>>> I think are necessary for basic interoperable functionality, >>>> and are things that other folks using OAuth for authentication >>>> have also implemented. Namely: >>>> >>>> - Signing the ID token (OIDC specifies the RS256 flavor of >>>> JWS, which is easy to do with JWT). Without a signed and >>>> verifiable ID token or equivalent, you're asking for all kinds >>>> of token injection problems. >>>> - Session management requests (max auth age, auth time) >>>> - Not fall over with other parameters that you don't support >>>> (display, prompt, etc). >>>> >>>> See here for more information: >>>> >>>> http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI >>>> >>>> Additionally, something that's really important to support is >>>> the User Info Endpoint, so you can actually get user profile >>>> information beyond just the simple "someone was here" claim -- >>>> this was the real value of Facebook Connect from an RP's >>>> perspective. Some people will probably want to use SCIM for >>>> this, too, and that's fine. >>>> >>>> -- Justin >>>> >>>> On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com >>>> <mailto:phil.hunt@oracle.com>> >>>> wrote: >>>> >>>>> The oidc specs do not allow this simple an implementation. The >>>>> spec members have not shown interest in making changes as they >>>>> say they are too far down the road. >>>>> >>>>> I have tried to make my draft as close as possible to oidc but >>>>> maybe it shouldn't be clarity wise. I am interested in what >>>>> the group feels is clearest. >>>>> >>>>> From an ietf perspective the concern is improper use of the >>>>> 6749 for authn. Is this a bug or gap we need to address? >>>>> >>>>> Phil >>>>> >>>>> On 2013-07-30, at 16:46, "Richer, Justin P." >>>>> <jricher@mitre.org <mailto:jricher@mitre.org>> wrote: >>>>> >>>>>> From what I read, you've defined something that uses an OAuth >>>>>> 2 code flow to get an extra token which is specified as a >>>>>> JWT. You named it "session_token" instead of "id_token", and >>>>>> you've left off the User Information Endpoint -- but other >>>>>> than that, this is exactly the Basic Client for OpenID >>>>>> Connect. In other words, if you change the names on things >>>>>> you've got OIDC, but without the capabilities to go beyond a >>>>>> very basic "hey there's a user here" claim. This is the same >>>>>> place that OpenID 2.0 started, and it was very, very quickly >>>>>> extended with SREG, AX, PAPE, and others for it to be useful >>>>>> in the real world of distributed logins. You've also left out >>>>>> discovery and registration which are required for distributed >>>>>> deployments, but I'm guessing that those would be modular >>>>>> components that could be added in (like they are in OIDC). >>>>>> >>>>>> I've heard complaints that OIDC is complicated, but it's >>>>>> really not. Yes, I agree that the giant stack of documents is >>>>>> intimidating and in my opinion it's a bit of a mess with >>>>>> Messages and Standard split up (but I lost that argument >>>>>> years ago). However, at the core, you've got an OAuth2 >>>>>> authorization server that spits out access tokens and id >>>>>> tokens. The id token is a JWT with some known claims (iss, >>>>>> sub, etc) and is issued along side the access token, and its >>>>>> audience is the *client* and not the *protected resource*. >>>>>> The access token is a regular old access token and its format >>>>>> is undefined (so you can use it with an existing OAuth2 >>>>>> server setup, like we have), and it can be used at the User >>>>>> Info Endpoint to get profile information about the user who >>>>>> authenticated. It could also be used for other services if >>>>>> your AS/IdP protects multiple things. >>>>>> >>>>>> So I guess what I'm missing is what's the value proposition >>>>>> in this spec when we have something that can do this already? >>>>>> And this doesn't seem to do anything different (apart from >>>>>> syntax changes)? >>>>>> >>>>>> -- Justin >>>>>> >>>>>> On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com >>>>>> <mailto:phil.hunt@oracle.com>> wrote: >>>>>> >>>>>>> FYI. I have been noticing a substantial number of sites >>>>>>> acting as OAuth Clients using OAuth to authenticate users. >>>>>>> >>>>>>> I know several of us have blogged on the issue over the past >>>>>>> year so I won't re-hash it here. In short, many of us >>>>>>> recommended OIDC as the correct methodology. >>>>>>> >>>>>>> Never-the-less, I've spoken with a number of service >>>>>>> providers who indicate they are not ready to make the jump >>>>>>> to OIDC, yet they agree there is a desire to support >>>>>>> authentication only (where as OIDC does IDP-like services). >>>>>>> >>>>>>> This draft is intended as a minimum authentication only >>>>>>> specification. I've tried to make it as compatible as >>>>>>> possible with OIDC. >>>>>>> >>>>>>> For now, I've just posted to keep track of the issue so we >>>>>>> can address at the next re-chartering. >>>>>>> >>>>>>> Happy to answer questions and discuss. >>>>>>> >>>>>>> Phil >>>>>>> >>>>>>> @independentid >>>>>>> www.independentid.com <http://www.independentid.com/> >>>>>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Begin forwarded message: >>>>>>> >>>>>>>> *From: *internet-drafts@ietf.org >>>>>>>> <mailto:internet-drafts@ietf.org> >>>>>>>> *Subject: **New Version Notification for >>>>>>>> draft-hunt-oauth-v2-user-a4c-00.txt* >>>>>>>> *Date: *29 July, 2013 9:49:41 AM GMT+02:00 >>>>>>>> *To: *Phil Hunt <phil.hunt@yahoo.com >>>>>>>> <mailto:phil.hunt@yahoo.com>>, Phil Hunt >>>>>>>> <None@ietfa.amsl.com <mailto:None@ietfa.amsl.com>>, Phil >>>>>>>> Hunt <> >>>>>>>> >>>>>>>> >>>>>>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt >>>>>>>> has been successfully submitted by Phil Hunt and posted to the >>>>>>>> IETF repository. >>>>>>>> >>>>>>>> Filename:draft-hunt-oauth-v2-user-a4c >>>>>>>> Revision:00 >>>>>>>> Title:OAuth 2.0 User Authentication For Client >>>>>>>> Creation date:2013-07-29 >>>>>>>> Group:Individual Submission >>>>>>>> Number of pages: 9 >>>>>>>> URL: >>>>>>>> http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt >>>>>>>> Status: >>>>>>>> http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c >>>>>>>> Htmlized: >>>>>>>> http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00 >>>>>>>> >>>>>>>> >>>>>>>> Abstract: >>>>>>>> This specification defines a new OAuth2 endpoint that >>>>>>>> enables user >>>>>>>> authentication session information to be shared with client >>>>>>>> applications. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Please note that it may take a couple of minutes from the >>>>>>>> time of submission >>>>>>>> until the htmlized version and diff are available at >>>>>>>> tools.ietf.org <http://tools.ietf.org/>. >>>>>>>> >>>>>>>> The IETF Secretariat >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: New Version Notification for draf… Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Anthony Nadalin
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- [OAUTH-WG] Fwd: New Version Notification for draf… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Paul Madsen
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Todd W Lainhart
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … Prateek Mishra
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- [OAUTH-WG] Need for Extending OAuth with AuthN (w… Prateek Mishra
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Bill Mills
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Richer, Justin P.
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Prateek Mishra
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… William Mills
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Anthony Nadalin
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Richer, Justin P.
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Anthony Nadalin
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Richer, Justin P.
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Anthony Nadalin
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Torsten Lodderstedt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Phil Hunt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Mike Jones
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Phil Hunt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Bill Mills
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Phil Hunt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura