Re: [OAUTH-WG] Concerning OAuth introspection
Todd W Lainhart <lainhart@us.ibm.com> Wed, 23 January 2013 18:40 UTC
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7148321F86E6 for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 10:40:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.792
X-Spam-Level:
X-Spam-Status: No, score=-9.792 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2W7QSfOilYJk for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 10:40:55 -0800 (PST)
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by ietfa.amsl.com (Postfix) with ESMTP id E12EF21F85D9 for <oauth@ietf.org>; Wed, 23 Jan 2013 10:40:54 -0800 (PST)
Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Wed, 23 Jan 2013 13:40:53 -0500
Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 23 Jan 2013 13:40:50 -0500
Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 485ADC90041; Wed, 23 Jan 2013 13:40:49 -0500 (EST)
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r0NIen7B333384; Wed, 23 Jan 2013 13:40:49 -0500
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r0NIemiH004583; Wed, 23 Jan 2013 13:40:48 -0500
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r0NIem9N004577; Wed, 23 Jan 2013 13:40:48 -0500
In-Reply-To: <622465D8-B15F-4516-A8D5-6559088BBD6E@xmlgrrl.com>
References: <CAHA4TYtCG+o0AZzh9e-3nb6gKLaWFeJuQfBxHVmUDH5Aj+TdpQ@mail.gmail.com> <50FEE1BF.5050200@mitre.org> <-6134323107835063788@unknownmsgid> <510005F5.6000004@mitre.org> <5100111F.1090304@gmail.com> <622465D8-B15F-4516-A8D5-6559088BBD6E@xmlgrrl.com>
To: Eve Maler <eve@xmlgrrl.com>
MIME-Version: 1.0
X-KeepSent: CE17A9F3:B4FE6513-85257AFC:0066892E; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP2 SHF22 July 19, 2012
Message-ID: <OFCE17A9F3.B4FE6513-ON85257AFC.0066892E-85257AFC.00669C86@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Wed, 23 Jan 2013 13:40:47 -0500
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF4|December 14, 2012) at 01/23/2013 13:40:48, Serialize complete at 01/23/2013 13:40:48
Content-Type: multipart/alternative; boundary="=_alternative 00669C8485257AFC_="
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13012318-9360-0000-0000-00000F9A56D2
Cc: Paul Bryan <email@pbryan.net>, "oauth@ietf.org WG" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Concerning OAuth introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2013 18:40:56 -0000
> On the other hand, it's a useful exercise to imagine how much more benefit could potentially be gotten "for free" if we look at it through a pure-REST lens, not just with what's already been specified but the whole picture. +1 -- Todd From: Eve Maler <eve@xmlgrrl.com> To: Sergey Beryozkin <sberyozkin@gmail.com>, Cc: Paul Bryan <email@pbryan.net>, "oauth@ietf.org WG" <oauth@ietf.org> Date: 01/23/2013 12:18 PM Subject: Re: [OAUTH-WG] Concerning OAuth introspection Sent by: oauth-bounces@ietf.org Agreed that REST purity may come at a cost that's too high. On the other hand, it's a useful exercise to imagine how much more benefit could potentially be gotten "for free" if we look at it through a pure-REST lens, not just with what's already been specified but the whole picture. If what you're registering is a client descriptor, then creating a new one, updating an existing one, deleting, and even patching could come for free if something like the following framework is used: http://tools.ietf.org/html/draft-pbryan-http-json-resource-03 With standard libraries possibly floating around to support this framework (I think Paul B wrote one; maybe he open-sourced it?), it starts to become a lot cheaper to support client registration on both sides of the interaction. Eve On 23 Jan 2013, at 8:34 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > On 23/01/13 15:47, Justin Richer wrote: >> Which brings up an interesting question for the Registration doc: right >> now, it's set up as a single endpoint with three operations. We could >> instead define three endpoints for the different operations. >> >> I've not been keen to make that deep of a cutting change to it, but it >> would certainly be cleaner and more RESTful API design. What do others >> think? >> > IMHO the purity should be balanced against the practicality/simplicity > of the implementation. > Talking about 3 endpoints at the spec level may be treated as the exact > requirement to have 3 separate application endpoints for the single type > of activity, the registration. Can the spec be re-worded such that > "resources" are used instead of endpoints or similar, example, "resource > available at /a will support the following, at /b - something else", or > may be something similar, thus it will read better too from the design > point of view, and let implementers to use 1 endpoint or 3 ones, > whichever way they prefer it > > Thanks, Sergey > >> -- Justin >> >> >> On 01/22/2013 08:05 PM, Nat Sakimura wrote: >>> "Action" goes against REST principle. >>> I do not think it is a good idea. >>> >>> =nat via iPhone >>> >>> Jan 23, 2013 4:00、Justin Richer<jricher@mitre.org> のメッセージ: >>> >>>> (CC'ing the working group) >>>> >>>> I'm not sure what the "action/operation" flag would accomplish. The idea behind having different endpoints in OAuth is that they each do different kinds of things. The only "action/operation" that I had envisioned for the introspection endpoint is introspection itself: "I have a token, what does it mean?" >>>> >>>> Note that client_id and client_secret *can* already be used at this endpoint if the server supports that as part of their client credentials setup. The examples use HTTP Basic with client id and secret right now. Basically, the client can authenticate however it wants, including any of the methods that OAuth2 allows on the token endpoint. It could also authenticate with an access token. At least, that's the intent of the introspection draft -- if that's unclear, I'd be happy to accept suggested changes to clarify this text. >>>> >>>> -- Justin >>>> >>>> On 01/22/2013 01:00 PM, Shiu Fun Poon wrote: >>>>> Justin, >>>>> >>>>> This spec is looking good.. >>>>> >>>>> One thing I would like to recommend is to add "action"/"operation" to the request. (and potentially add client_id and client_secret) >>>>> >>>>> So the request will be like : >>>>> token REQUIRED >>>>> operation (wording to be determine) OPTIONAL inquire (default) | revoke ... >>>>> resource_id OPTIONAL >>>>> client_id OPTIONAL >>>>> client_secret OPTIONAL >>>>> >>>>> And for the OAuth client information, it should be an optional parameter (in case it is a public client or client is authenticated with SSL mutual authentication). >>>>> >>>>> Please consider. >>>>> >>>>> ShiuFun > Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Nat Sakimura
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Todd W Lainhart
- Re: [OAUTH-WG] Concerning OAuth introspection Phil Hunt
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Brian Campbell
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection John Bradley
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection John Bradley
- Re: [OAUTH-WG] Concerning OAuth introspection Phil Hunt