IETF Logo Mail Archive

Re: [OAUTH-WG] Indicating sites where a token is valid

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 11 May 2010 17:23 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 647C43A6A08 for <oauth@core3.amsl.com>; Tue, 11 May 2010 10:23:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.472
X-Spam-Level:
X-Spam-Status: No, score=-0.472 tagged_above=-999 required=5 tests=[AWL=-0.637, BAYES_40=-0.185, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOafas5biPj7 for <oauth@core3.amsl.com>; Tue, 11 May 2010 10:23:42 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.29.8]) by core3.amsl.com (Postfix) with ESMTP id 185E23A6C42 for <oauth@ietf.org>; Tue, 11 May 2010 10:22:16 -0700 (PDT)
Received: from p4fff1096.dip.t-dialin.net ([79.255.16.150] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OBt9Z-0003RF-QR; Tue, 11 May 2010 19:21:57 +0200
Message-ID: <4BE99233.4000901@lodderstedt.net>
Date: Tue, 11 May 2010 19:21:55 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: "Manger, James H" <James.H.Manger@team.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B24FC@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net> <255B9BB34FB7D647A506DC292726F6E112631B26DE@WSMSG3153V.srv.dir.telstra.com> <4BE3E8B4.9020909@lodderstedt.net> <255B9BB34FB7D647A506DC292726F6E112631B298B@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112631B298B@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2010 17:23:45 -0000

Am 09.05.2010 16:39, schrieb Manger, James H:
> Torsten,
>
> Thanks for your analysis.
>
>    
>> 1) Resource server controls token sites (context of the realm attribute)
>>      
>    
>> 2) Authorization server controls token sites (context of token)
>>      
>    
>> In my opinion, (1) improves security and eases the practicability of OAuth2 in scenarios with multiple sites and (2) is a significant security improvement. I think, both scenarios should be addressed by the WG.
>>      
>
> Scenario 1 is basically how HTTP Digest works -- using a "domains" param, which is a list of URI prefixes.
>
>
> If a resource server is delegating to an authz server, it may as well also rely on the authz server to indicate "realm" values that are equivalent across multiple resource servers.
> That is, I think it is useful to return "sites" and "realm" values in a token response from an authz server, but that it is not necessary to return "sites" in a 401 resource server response in OAuth.
> One resource server may well not know about all the other resource servers.
>
> --
> James Manger
>    

So you suggest to return "sites" from the authz server only?

regards,
Torsten.

v2.23.0 | Report a Bug | By Email