Re: [OAUTH-WG] Seeking feedback on UMA's use of OAuth and discovery mechanisms
Eve Maler <eve@xmlgrrl.com> Tue, 24 November 2009 03:52 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F019528C1DF for <oauth@core3.amsl.com>; Mon, 23 Nov 2009 19:52:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.915
X-Spam-Level: **
X-Spam-Status: No, score=2.915 tagged_above=-999 required=5 tests=[AWL=1.206, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FROM_DOMAIN_NOVOWEL=0.5, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UiaY0WURJDP7 for <oauth@core3.amsl.com>; Mon, 23 Nov 2009 19:52:16 -0800 (PST)
Received: from mail.promanage-inc.com (static-98-111-84-13.sttlwa.fios.verizon.net [98.111.84.13]) by core3.amsl.com (Postfix) with ESMTP id 9714D3A67FB for <oauth@ietf.org>; Mon, 23 Nov 2009 19:52:16 -0800 (PST)
Received: from [192.168.168.198] ([192.168.168.198]) (authenticated bits=0) by mail.promanage-inc.com (8.14.3/8.14.3) with ESMTP id nAO3poK7017249 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 23 Nov 2009 19:52:08 -0800
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary="Apple-Mail-339--592847235"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <cb5f7a380911231853x61cf7678paa3e608a3fa60b36@mail.gmail.com>
Date: Mon, 23 Nov 2009 19:51:50 -0800
Message-Id: <47282989-64BB-4673-B94B-7BBBB6B488E1@xmlgrrl.com>
References: <BA53F346-D288-473F-9B71-BC645DEF00D6@xmlgrrl.com> <cb5f7a380911231853x61cf7678paa3e608a3fa60b36@mail.gmail.com>
To: John Panzer <jpanzer@google.com>
X-Mailer: Apple Mail (2.1077)
Cc: oauth@googlegroups.com, oauth@ietf.org
Subject: Re: [OAUTH-WG] Seeking feedback on UMA's use of OAuth and discovery mechanisms
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 03:52:18 -0000
Thanks for taking a look, and I'd say your gloss of it is exactly right. The idea is that externalizing the authorization function from many hosts to a clever enough AM service (there are plenty of UX implications here in addition to protocol stuff) could let you keep better track of your digital footprint, apply consistent policy across various categories (per host, per requester, per resource class...), and even help you extract promises (or payments) from the requester before granting access. The one sub-relationship among the four parties that is the *least* dynamic is the user's introduction of the host to the AM. It's the one prerequisite step before the actual authorization flow. LRDD/XRD comes into play in that first step too, though, enabling the host to learn how to begin authenticating to the AM and subsequently how to send (OAuth-enabled) UMA access requests to it. Swimlane diagrams of the steps are linked off here: > http://kantarainitiative.org/confluence/display/uma/UMA+Explained ...as is a flowchart of the post-step-1 authorization flow. Eve On 23 Nov 2009, at 6:53 PM, John Panzer wrote: > It sounds very interesting. In OAuth terms, I think it adds, to the basic OAuth 3 legged flow, the ability to delegate the authorization decisions 'normally' made out of band of the OAuth protocol to a completely separate service. Aftet 60 seconds looking at it, my first silly question is how the AM service is determined -- it looks like everything is based on LRDD starting from the resource being accessed? > > -- > John Panzer / Google > jpanzer@google.com / abstractioneer.org / @jpanzer > > > > On Mon, Nov 23, 2009 at 6:04 PM, Eve Maler <eve@xmlgrrl.com> wrote: > The User-Managed Access effort[1], previously mentioned on this list as "ProtectServe", intends to solve user-driven permissioning (authorization) problems at Internet scale. It is designed to be modular, and to reuse and profile existing technology as much as possible. Therefore, we have attempted to "stay out of the business of authentication", profiling OAuth lightly in order to do so. > > The UMA group would be grateful for your feedback on our intended usage of OAuth and its emerging discovery methods. Details can be found in the worked example in our spec[2]; various explanatory materials about UMA in general are available as well.[3] > > Briefly, the UMA protocol has four distinct parties vs. OAuth's three: there's an authorizing user, a consumer/client (which we call a"requester"), an SP/server (which we call a "host"), and an authorization manager. We compose three instances of OAuth to introduce all these parties appropriately to each other: there's user/host/AM (three-legged), requester/host (two-legged), and requester/AM (another two-legged). Because of our goals to allow most of these parties to meet fairly dynamically, we are leaning quite heavily on XRD and LRDD for discovery; various simplifying assumptions could probably be made to simplify this picture, however. > > (If you find UMA's use cases and design center interesting, you'd be very welcome at the table.[4]) > > Thanks, > > Eve > UMA group chair > > [1] http://kantarainitiative.org/confluence/display/uma/Home > [2] http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol > [3] http://kantarainitiative.org/confluence/display/uma/UMA+Explained > [4] http://signup.kantarainitiative.org/?selectedGroup=11 > > > Eve Maler > eve@xmlgrrl.com > http://www.xmlgrrl.com/blog > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > Eve Maler eve@xmlgrrl.com http://www.xmlgrrl.com/blog