Re: [OAUTH-WG] Token Chaining Use Case

Brian Campbell <bcampbell@pingidentity.com> Wed, 08 July 2015 19:34 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D4C21A1BF4 for <oauth@ietfa.amsl.com>; Wed, 8 Jul 2015 12:34:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SyhFNEBFthFT for <oauth@ietfa.amsl.com>; Wed, 8 Jul 2015 12:34:44 -0700 (PDT)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62A371A1BCF for <oauth@ietf.org>; Wed, 8 Jul 2015 12:34:44 -0700 (PDT)
Received: by igcqs7 with SMTP id qs7so64085488igc.0 for <oauth@ietf.org>; Wed, 08 Jul 2015 12:34:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=rux0Sw+D+NuhD27hSxzaKD7aZ3Cj2nVsLdAAkvLUmZs=; b=RCPjndb4nMnkZRbGEx6rwvjQ2K+xwMVr2RCzcRIx+TJmbOPMG8zX5hJqHP7uqIQDj9 78zMEeW5EUAOBsCg/o47WRHa3PbV1X8v2km37sSXrwtR2WNxRtvAvSp9xLHs29vRy3GA tuw7ye4cTGy26YE8LYj5MN1NRI0weP779YZrg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rux0Sw+D+NuhD27hSxzaKD7aZ3Cj2nVsLdAAkvLUmZs=; b=avMi4vJ8T8h+E1dBx5bXO4F11KWZuT1G/uYez/mT5kc4Kgw1wShUYDuMHEI4qR9RDy d221+p5AahHeSjMPZZdXog3sdcvpkd69DhFPWrVOlTrl59Tty98QglNgMke5MiWgkVT2 JDRzu1ASuauJTxFa264CDH4OQ1Rg5OoxIlHLrbxdiCKcZufWLgsmQt9Rbh7jIewy41M+ ktUIPbsCriEir0QpoeHvMyVeqyD6wJi12eLB9ZkLGY8eYSnvzewtfzMSTlU7NSxSShRj 96Afh/SgIQPkay1BIZPU33M+wTc9xDP3V5HY3rl2+H9bA+SD1NPD6rqADVJBJwPocVju rOzQ==
X-Gm-Message-State: ALoCoQnVAU928FBk7gaP27VLdZcyZPt5sbIxD21LcYC9AMo5x0WuwKM3g4zG/bc1Jnt3lwVrC6q6
X-Received: by 10.50.59.211 with SMTP id b19mr88496854igr.42.1436384083904; Wed, 08 Jul 2015 12:34:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.64.209 with HTTP; Wed, 8 Jul 2015 12:34:14 -0700 (PDT)
In-Reply-To: <559CECB5.4000006@gmail.com>
References: <D0E09E09-A803-427A-ACA9-D9E3F3EF31E5@mit.edu> <CA+k3eCSgE0Df25kPiKVnyWkkvONke6ha_FrVmZiOYYTVGM6w_w@mail.gmail.com> <BY2PR03MB442F6D96703377B6673509AF5920@BY2PR03MB442.namprd03.prod.outlook.com> <826785C8-648D-4A1B-AD8D-E99D76117C67@mit.edu> <BY2PR03MB442AF9C598B811217B1161DF5910@BY2PR03MB442.namprd03.prod.outlook.com> <559CECB5.4000006@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 8 Jul 2015 13:34:14 -0600
Message-ID: <CA+k3eCTt=MQWhkZTGzHHr-KDV_Fp=T1HYdUKwT5r_cUchh5tfw@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Content-Type: multipart/alternative; boundary=047d7bd75758155398051a623b86
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/VOMdBZ47GhKQu-tRwBDN79BGu9E>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Chaining Use Case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 19:34:46 -0000

Agree Sergey. That line of thinking is largely why
https://tools.ietf.org/html/draft-campbell-oauth-sts utilizes normal OAuth
client authentication.

On Wed, Jul 8, 2015 at 3:26 AM, Sergey Beryozkin <sberyozkin@gmail.com>
wrote:

>
> On 08/07/15 01:41, Mike Jones wrote:
>
>>  [...] That’s why the WG draft uses a JWT as the request – so
>> a signature can be applied to the request, when appropriate.  (And when
>> it’s not needed, “alg”: “none” can be used.)
>>
>>
> The requester is a client talking to the token endpoint and this client
> needs to authenticate, why it needs to sign the token-exchange related
> parts too ?
>
> Thanks, Sergey
>