IETF Logo Mail Archive

Re: [OAUTH-WG] Holder-of-the-Key for OAuth

William Mills <wmills_92105@yahoo.com> Tue, 10 July 2012 16:53 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2F6621F85FF for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ba2JiI1xJg1P for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:53:12 -0700 (PDT)
Received: from nm36-vm7.bullet.mail.ne1.yahoo.com (nm36-vm7.bullet.mail.ne1.yahoo.com [98.138.229.119]) by ietfa.amsl.com (Postfix) with SMTP id 1BAFB21F8596 for <oauth@ietf.org>; Tue, 10 Jul 2012 09:53:11 -0700 (PDT)
Received: from [98.138.90.48] by nm36.bullet.mail.ne1.yahoo.com with NNFMP; 10 Jul 2012 16:53:35 -0000
Received: from [98.138.88.236] by tm1.bullet.mail.ne1.yahoo.com with NNFMP; 10 Jul 2012 16:53:35 -0000
Received: from [127.0.0.1] by omp1036.mail.ne1.yahoo.com with NNFMP; 10 Jul 2012 16:53:35 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 402120.79323.bm@omp1036.mail.ne1.yahoo.com
Received: (qmail 20221 invoked by uid 60001); 10 Jul 2012 16:53:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1341939214; bh=UpcSb8DcpQZbr2zXTYaT3gonn5QqFfbHQGp+mV5G5To=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=1iKlrbYJA8oejj01DJ3++7jpAsGdwAIZPPmghuyZ22quZ/VmPO6kFwVw4HkyTR948DSCMmehXvevRqd0B28CK8I5uRnDJvfmHWXl6AVQQ1LjppVsR95eRscsrYJFRNd61oHo5By4I29DIgFKc1X7rwicW++qOzpbCZljjhzuaCA=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=UtgMfC/Av8HQvr5LQ2MmI6rnwN6HMuZXdEYhWsi8DWj8tr/nrC4peRS04EPnH/dCW2rmPbE3jde+11ZW0/pT1YzQ9iMuOqf7CCQpDftkkKNydKwzKb6/rcEntyPYuUx61cH8kiPfQWjUdpzInAcBl6LHQEKKYQhWYiEcwLSFv3M=;
X-YMail-OSG: WP3LUXQVM1mAoM8zz5XjMDOlpuHVMOQwySkWblDxMvd7RHz 87Xgs9vklisM7MHkT9c4nl7kkeA6.sILcOBVS06mkKnvf.llPERdCdZVR9yj BoA7RGEyEbnyguZOe6xkk5ojz6.v3a0w5oSu_rPFui_WCiQGO3GGEdj9W4gx e2xWXd81N3N_IrdrbmwFyzXKVqHwSfFqu7BV6q2uUqwG9HDSwvjs4MVuAhD8 jDFE0t2rSCL_.udzV1Qzuj92cs1P7H5vn0VdgWBdSS1sNlF_ewoiBpE.K1O. BlCC9rpvBW7f5V9IsYmnZxQ7b6QAJ8Yx.n43pgYm30AHLL.q3lUWI0mmw94b nXZGtTEfxhvu3liRju0e9gO1kmaHe04UPZqXEF0Lm_pgkiMbaym4raatjM5m qNoyMRsq7EaNP2MbQYywnjqBKHitaByqp5JAvn_PmyHTHy9cWlfBggrCwGti fCQxppvz7cQ78eETP6.E8umJX
Received: from [99.31.212.42] by web31811.mail.mud.yahoo.com via HTTP; Tue, 10 Jul 2012 09:53:34 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <255B9BB34FB7D647A506DC292726F6E114F7977420@WSMSG3153V.srv.dir.telstra.com>
Message-ID: <1341939214.6093.YahooMailNeo@web31811.mail.mud.yahoo.com>
Date: Tue, 10 Jul 2012 09:53:34 -0700
From: William Mills <wmills_92105@yahoo.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, OAuth WG <oauth@ietf.org>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114F7977420@WSMSG3153V.srv.dir.telstra.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="764183289-1902743316-1341939214=:6093"
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 16:53:13 -0000

The server would need to issue a key pair and not just the private key.  Are you saying the private key is for the certificate, and that certificate is part of the access_token?



________________________________
 From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; OAuth WG <oauth@ietf.org> 
Sent: Monday, July 9, 2012 8:54 PM
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
 
Hannes,

> today I submitted a short document that illustrates the concept of
> holder-of-the-key for OAuth.
> Here is the document:
> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk 


A different approach would be for the service to issue a private asymmetric key to the client app, along with a certificate, in the access token response. This is a slightly better match to the OAuth2 model of the authorization service issuing temporary credentials for accessing resources on a user’s behalf.

When the token_type is "tls_client_cert" (probably a better label than "hotk"), the client can access protected resources using TLS with client authentication; using the key from the "private_key" field. The "access_token" field holds a base64url-encoded certificate to include in the TLS handshake.

An example access token response could be:

  HTTP/1.1 200 OK
  Content-Type: application/json;charset=UTF-8
  Cache-Control: no-store
  Pragma: no-cache

  {
    "token_type":"tls_client_cert",
    "access_token":"MIIGcDCCBdmgAwIBAgIKE…",
    "private_key":{
      "alg":"RSA", "mod":"Ovx7…", "p":"7dE…", "q":"fJ3…", …
    },
    "expires_in":3600,
    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
  }


The suggestion above passes the "access_token" to the protected resource in the TLS protocol in the form of a certificate.
draft-tschofenig-oauth-hotk says the client "presents the access token to the resource server", but it wasn't clear to me how it was done. Were you expecting the client to use the BEARER HTTP auth scheme inside the client-authenticated TLS connection?

--
James Manger

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email