IETF Logo Mail Archive

Re: [OAUTH-WG] Info on how to implement a server

"Salz, Rich" <rsalz@akamai.com> Sun, 18 August 2019 21:05 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76F3B120047 for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2019 14:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rVC8snjwlNpg for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2019 14:05:14 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7463A1200B9 for <oauth@ietf.org>; Sun, 18 Aug 2019 14:05:14 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x7IL2KsS018771; Sun, 18 Aug 2019 22:05:11 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=hrM7qsmdMB6fpr0NxZwDCdPZjp0AKuX6zmMmd8JAVLw=; b=TpLA+78PO+/Ks4F6EwhQ1blfNZyJwLIJJtwNvyCdGti9LFN6m3fSEZjfIuL2On/rQoGX PPkd/fkSK4rSpaJonT7m9/NG4xOjCPJzoFO04svG8/m1XwJEe0jeHo8hOiqbwmiyo4/q 2LcqJRd2dKi4OeCO+ytcxjKK7pypp345tDdmeYF5UWWw9f8ruaDY0zUmd8TIR4Erk5mx n/tDH8rwoY3T9m1FUUDRMwwu/o/P0H3ebQBmhAk/t1uVpjGMOyjWTCB1UIJVkyqQOthf O4EDsNzNYq7jv2PFiyOHRmH3WWIyCnM/wdMC4AIPEpyXk0Gtw8xb3E3TgHLQy3LUvpom fQ==
Received: from prod-mail-ppoint7 (prod-mail-ppoint7.akamai.com [96.6.114.121] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 2ue97txdr2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 18 Aug 2019 22:05:11 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x7IL2dd9010694; Sun, 18 Aug 2019 17:05:10 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint7.akamai.com with ESMTP id 2uecwvsk8k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 18 Aug 2019 17:05:09 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 18 Aug 2019 17:05:05 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.005; Sun, 18 Aug 2019 17:05:05 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Dick Hardt <dick.hardt@gmail.com>
CC: Hans Zandbelt <hans.zandbelt@zmartzone.eu>, John Bradley <ve7jtb@ve7jtb.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Info on how to implement a server
Thread-Index: AQHVVSB+mqzXXWtHJ0yU+TjhKS0hzqb/7IKAgAAA+4CAAWH9AIAAVY+A///B7AA=
Date: Sun, 18 Aug 2019 21:05:04 +0000
Message-ID: <40AA5F98-4EB1-4ECB-A9A6-AEB2E435F693@akamai.com>
References: <D3FB5975-2448-445B-8B48-0A46D43E0A99@akamai.com> <bc37895b-b4c9-af54-dbfc-6aa2cd80b75b@ve7jtb.com> <CA+iA6uifvqv=18ZYLf+BmDYhp6ZyEvwv+9mWoL37ALWuqozj4w@mail.gmail.com> <74BEF7B5-55AC-4BD6-AEF1-D04DEFE9F0EA@akamai.com> <CAD9ie-s+03oHh+1+Y5cVhUoBs1zZs1CM_iSzmf-opnpwNbMyPA@mail.gmail.com>
In-Reply-To: <CAD9ie-s+03oHh+1+Y5cVhUoBs1zZs1CM_iSzmf-opnpwNbMyPA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.79]
Content-Type: multipart/alternative; boundary="_000_40AA5F984EB14ECBA9A6AEB2E435F693akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-08-18_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908180234
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:5.22.84,1.0.8 definitions=2019-08-18_09:2019-08-16,2019-08-18 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 priorityscore=1501 suspectscore=0 lowpriorityscore=0 bulkscore=0 phishscore=0 spamscore=0 mlxlogscore=999 impostorscore=0 mlxscore=0 malwarescore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1908180234
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Y9BJdj-ZtyDkVD4SrEy5Wj9EEqY>
Subject: Re: [OAUTH-WG] Info on how to implement a server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2019 21:05:17 -0000

As I said at the start of the thread: I want to add OAUTH support to the datatracker.

From: Dick Hardt <dick.hardt@gmail.com>
Date: Sunday, August 18, 2019 at 4:47 PM
To: Rich Salz <rsalz@akamai.com>
Cc: Hans Zandbelt <hans.zandbelt@zmartzone.eu>, John Bradley <ve7jtb@ve7jtb.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Info on how to implement a server

What is the goal?

On Sun, Aug 18, 2019 at 12:41 PM Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:
Thanks for the links, folks.  I’m aware, and sorry for my sloppy terminology.

Imagine a service where anyone with a valid identity is authorized. There are many of these on the net. Collapsing authentication to authorization (“everyone authenticated is authorized”) seems not unreasonable.

But I don’t want to get distracted from my main goal.  Thanks.

From: Hans Zandbelt <hans.zandbelt@zmartzone.eu<mailto:hans.zandbelt@zmartzone.eu>>
Date: Saturday, August 17, 2019 at 2:34 PM
To: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Cc: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Info on how to implement a server

indeed OAuth != identity see https://oauth.net/articles/authentication/<https://urldefense.proofpoint.com/v2/url?u=https-3A__oauth.net_articles_authentication_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=S3hNRZN-F73VNr2ls-yKN4bJPSuH4w92SmFc1PAvi4M&e=>

Hans.

On Sat, Aug 17, 2019 at 8:31 PM John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:

The openID Connect kind of OAuth server.

OAuth on its own is not designed to be secure for identity federation.

John B.
On 8/17/2019 1:23 PM, Salz, Rich wrote:
What’s the WG consensus (heh) on the best guide to adding OAUTH support to an existing server so that it can act as an identity provider?  Which version of oauth is most widely deployed by relying parties these days?

I want to add OAUTH support to the IETF datatracker.

Thanks for any pointers.  Replies to me will be summarized for the list.

                /r$



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=mYG4MvYj3IpSidDiigZr4NtmXiZ4uzpxrFAGd2WtoFM&e=>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=mYG4MvYj3IpSidDiigZr4NtmXiZ4uzpxrFAGd2WtoFM&e=>


--
hans.zandbelt@zmartzone.eu<mailto:hans.zandbelt@zmartzone.eu>
ZmartZone IAM - www.zmartzone.eu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.zmartzone.eu&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=rdGZncYUqvlwcXI7_GGrc5Niii46pDWHdpVklsb0Ijg&e=>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=Un8tdGinIVpAqStU4GTgZWwQjRL7tMLUWFLfG5Hciv8&s=rL3JkU3byB6rcZdglzIdfzLMChWwgTRubGUYwiDl_k8&e=>

v2.23.0 | Report a Bug | By Email