Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 27 April 2010 16:02 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 783253A6A29 for <oauth@core3.amsl.com>; Tue, 27 Apr 2010 09:02:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.199
X-Spam-Level:
X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[AWL=-2.426, BAYES_05=-1.11, HELO_EQ_DE=0.35, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_SORBS_WEB=0.619, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dL06gEzd2JKo for <oauth@core3.amsl.com>; Tue, 27 Apr 2010 09:02:40 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.44]) by core3.amsl.com (Postfix) with ESMTP id A5F1328C14D for <oauth@ietf.org>; Tue, 27 Apr 2010 09:00:47 -0700 (PDT)
Received: from [80.187.100.116] (helo=[10.174.46.148]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O6nD6-0001x7-6p; Tue, 27 Apr 2010 18:00:33 +0200
References: <C7FB5107.451C%cmortimore@salesforce.com> <4BD674BC.9080504@lodderstedt.net> <p2xdaf5b9571004262333x1552d589haf469cf307317e45@mail.gmail.com>
Message-Id: <EB7C038F-7EA6-40A3-9A51-4BCA5E50E2ED@lodderstedt.net>
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Brian Eaton <beaton@google.com>
In-Reply-To: <p2xdaf5b9571004262333x1552d589haf469cf307317e45@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
X-Mailer: iPhone Mail (7E18)
Mime-Version: 1.0 (iPhone Mail 7E18)
Date: Tue, 27 Apr 2010 18:00:08 +0200
X-Df-Sender: 141509
Cc: "Foiles, Doug" <Doug_Foiles@intuit.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Autonomous clients and resource owners (editorial)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2010 16:02:41 -0000
returning access token would suffice in this flow, from my point of view. regards, Torsten. Am 27.04.2010 um 08:33 schrieb Brian Eaton <beaton@google.com>: > From my perspective, the main thing is that the assertion flow can be > used to connect existing authentication systems with APIs that are > using OAuth2 for authorization. > > This will let us leverage existing trust relationships across systems. > > Note that this breaks, however, if the flow returns a refresh token. > Refresh tokens are a new trust relationship, and they require > additional user/administrator involvement to manage. > > Cheers, > Brian > > On Mon, Apr 26, 2010 at 10:23 PM, Torsten Lodderstedt > <torsten@lodderstedt.net> wrote: >> +1 >> >> we need the assertion flow for the same purpose. Can we add a >> variant of the >> flow to section "End User Credentials Flows"? >> >> regards, >> Torsten. >> >> Am 26.04.2010 23:17, schrieb Chuck Mortimore: >> >> +1. >> >> Our primary use-cases for the assertion flow are for clients acting >> on >> behalf of users, and not autonomously. I believe Eran already has >> this on >> his list of feedback when the assertion flow gets edited. >> >> We also have need for a 2 legged Oauth model, and are looking at >> the client >> credentials flow for exactly that purpose. >> >> -cmort >> >> >> On 4/25/10 10:34 AM, "Foiles, Doug" <Doug_Foiles@intuit.com> wrote: >> >> I have a bit of confusion on the Autonomous Client Flows … and spe >> cifically >> related to Eve’s comment below that suggests to me that the autono >> mous >> client is NOT ALWAYS the resource owner. >> >> Can the Autonomous Client Flows support clients that ARE NOT the >> actual >> resource owner? For example for an Assertion Flow where the >> Subject of the >> SAML assertion is a user identity (and the resource owner) and not >> that of >> the client. >> >> Is the intent of the Client Credentials Flow to support something >> like >> Google’s “OAuth for Google Apps domains” 2 Legged OAuth use ca >> se? >> http://code.google.com/apis/accounts/docs/OAuth.html. >> >> If the Autonomous Client Flows support clients that can act on >> behalf a >> resource owner that is not themselves … it then seems the resourc >> e owner >> must provide some level of consent outside the OAuth specific flow. >> >> Thanks. >> >> Doug >> >> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On >> Behalf Of >> Eve Maler >> Sent: Friday, April 23, 2010 7:21 AM >> To: OAuth WG >> Subject: [OAUTH-WG] Autonomous clients and resource owners >> (editorial) >> >> >> Regarding the second comment I made below: I realized last night that >> Sections 3.7.1 and 3.7.2 get this more correct, by saying that an >> autonomous >> client represents a "separate resource owner". So Section 2.2 >> definitely >> needs a slight change, from: >> >> >> >> "...and autonomous flows where the client is acting for itself (the >> client >> is also the resource owner)." >> >> >> >> to something like: >> >> >> >> "...and autonomous flows where the client is acting on behalf of a >> different >> resource owner." >> >> >> >> Thanks, >> >> >> >> Eve >> >> >> >> On 21 Apr 2010, at 4:43 PM, Eve Maler wrote: >> >> >> Tacking this response to the end of the thread for lack of a better >> place to >> do it: The name "username" seems not quite apt in the case of an >> autonomous >> client that isn't representing an end-user. Would "identifier" be >> better? >> (Actually, it sort of reminds me of SAML's "SessionIndex"...) Or >> would the >> parameter be reserved for user-delegation flows? >> >> >> >> Speaking of autonomous clients, Section 2.2 -- among possibly other >> places >> -- states that an autonomous client is also the resource owner, but >> that's >> not always the case, is it? The client might be seeking access on >> behalf of >> itself. (FWIW, I made roughly this same comment on David's first >> draft on >> March 21, and he agreed with my suggested fix at the time.) >> >> >> >> Eve >> >> >> >> Eve Maler >> >> eve@xmlgrrl.com >> >> http://www.xmlgrrl.com/blog >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >>
- [OAUTH-WG] Issue: 'username' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Evan Gilbert
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Evan Gilbert
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Marius Scurtescu
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Brian Eaton
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Evan Gilbert
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Joseph Smarr
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Brian Eaton
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Brian Eaton
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eve Maler
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: 'username' parameter propos… Eve Maler
- [OAUTH-WG] Autonomous clients and resource owners… Eve Maler
- Re: [OAUTH-WG] Autonomous clients and resource ow… Foiles, Doug
- Re: [OAUTH-WG] Autonomous clients and resource ow… Chuck Mortimore
- Re: [OAUTH-WG] Autonomous clients and resource ow… Eve Maler
- Re: [OAUTH-WG] Autonomous clients and resource ow… Torsten Lodderstedt
- Re: [OAUTH-WG] Autonomous clients and resource ow… Brian Eaton
- Re: [OAUTH-WG] Autonomous clients and resource ow… Torsten Lodderstedt
- Re: [OAUTH-WG] Autonomous clients and resource ow… Chuck Mortimore
- Re: [OAUTH-WG] Autonomous clients and resource ow… Keenan, Bill
- Re: [OAUTH-WG] Autonomous clients and resource ow… Chuck Mortimore
- Re: [OAUTH-WG] Autonomous clients and resource ow… Foiles, Doug
- Re: [OAUTH-WG] Autonomous clients and resource ow… Eran Hammer-Lahav
- Re: [OAUTH-WG] Autonomous clients and resource ow… Foiles, Doug
- Re: [OAUTH-WG] Autonomous clients and resource ow… Eran Hammer-Lahav
- Re: [OAUTH-WG] Autonomous clients and resource ow… Foiles, Doug
- Re: [OAUTH-WG] Autonomous clients and resource ow… Brian Eaton