[OAUTH-WG] Mutual OAuth interim meeting minutes

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Tue, 16 January 2018 18:22 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7F4EE12DA6D for <oauth@ietfa.amsl.com>; Tue, 16 Jan 2018 10:22:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Pyz66Px_g3fn for <oauth@ietfa.amsl.com>; Tue, 16 Jan 2018 10:22:44 -0800 (PST)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A4C12D868 for <oauth@ietf.org>; Tue, 16 Jan 2018 10:22:43 -0800 (PST)
Received: by mail-ua0-x233.google.com with SMTP id e19so11394748uam.6 for <oauth@ietf.org>; Tue, 16 Jan 2018 10:22:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=10SXZAPSA+cjPHitd0LOrXor7WJfGRGxcE9hT0lFAHI=; b=fvQKTYC1xNvFG1t8JGO+zU5rCx4Cedtx2+qOhjXcKbc1m+aWdmDl8V7ip4HxjqRxYn OPeh5Ni3l9eSxfZOUJYn8l+vUCQEodcdQeDgNe7ZJtF5fNMcjVqOkdKJGclUADURK7ub 4gZKrjozxa3ajpEGjiZkgK5wszYlwhHetKhbJRAOBH3s9P2gg7+Ny05onNL5L+O3hdj6 Gapj32rjmxXYUflkAaRkC3JVmlWO+a6O0xsKutgwcLUE7Kx3iXwXW+9LtrdgIoCHfaxJ PRYiARB6Yl42lkXKN1G+fvoUfIk6gp1Dqv8rrFISnItwgwwgiWSIWw3hcYuH9HYEiYn4 FJsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=10SXZAPSA+cjPHitd0LOrXor7WJfGRGxcE9hT0lFAHI=; b=M3sppB7cF6ZTLM5OMb9mtQVZk1+tu9HH27ymlg6p4ACYQ13CGKxnbfbU1rmzs9pMoU ye9vvpX4jgiiEPfkiWLWOjGbTgCLGzqGoev6dj369kmUYA5NvCMXEikUxeqNEflr1pa2 dufrVzqpvx/x0ypY9MIvIw5kS72LQe6OFLLsGlU/gOLvOoUNffOaW7RyVyWXImp2VlCu booat0+Sa0TbGYnvg0XFXAQN0kPJ9fMtoKp7EMOOBo11vw1wdWNh0VC3gN2vwXn7c96K wPvNX0GMlVrk52E54FL1ESrxgR/fK5dX929IE+tify/UQaSLUnb658PzM7zdPpuNFxdE 6eBg==
X-Gm-Message-State: AKwxytdXrC2cJzkLBH9zQ0EB5qKIF6yQxdPw6GWCHMuzRy227YpSIoAn PSiAGTfXIPosCWnZi8HEkqYJ+qZYCGSnswNlRqV/ldSF
X-Google-Smtp-Source: ACJfBounyVSNH1ybqZWqeITtiRNS5AsWJcOYu/kdr52V6eUZyP1uOTG0KTpRGEgxHchung5eqGYU1byL1cOJpPFG8Y4=
X-Received: by with SMTP id s18mr76266uad.196.1516126962425; Tue, 16 Jan 2018 10:22:42 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 16 Jan 2018 10:22:41 -0800 (PST)
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Tue, 16 Jan 2018 13:22:41 -0500
Message-ID: <CAGL6epJYHFWYdGtipcDCbau+gkS3oE5SDdvFuVUZM=-KMgD3hA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/mixed; boundary="001a11495b7c07d8eb0562e8d1dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YhH7TE6PVrsJvFcAyjBMO27JLfM>
Subject: [OAUTH-WG] Mutual OAuth interim meeting minutes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 18:22:46 -0000

*Attendees*:Dick Hardt, Aaron Parecki, Brian Campbell, Dave Tonge, Eve
Maler, John Bradley, Justin Richer, Nat Sakimura, Samuel Erdtman, Tim,
Cappalli, Denis Pinkas, Bjorn Hjelm, Hannes Tschofenig, and Rifaat

Dick presented the attached Mutual OAuth slides, which is the same slides
he presented during the IETF meeting in Singapore.

Brian: Token Exchanged was mentioned as a potential alternative solution to
this, but it does not seem to be a proper solution for the use case of this
Justin: the solution make sense to me
Eve: the solution is different from the UMA solution.
Justin: UMA solution is unidirectional, which does not help simplifying the
Dave: the scope is agreed out of band, which means that the scope is
limited. Also, the second flow should be clarified.
Hannes: are there others that have a similar use case?
Samuel: Spotify has a similar use case with Google Home. The solution has
one approval for both flows
Hannes: for privacy reason it is better to have to approvals.
Brian: the name of the document should be change to avoid any confusion
with the existing mutual oauth document. Suggested names: Reciprocal or
Brian: grant_type should be a URI
Eve: not clear on the exact flow; will a RS be calling a RS?
John: there are ways to optimize the flow that should be discussed

Hannes poll the group on their support for adopting this document: there
were about 5 or 6 people in favor, 0 against.

The chairs will discuss this with the AD and later continue the adoption
process on the mailing list.