[OAUTH-WG] carrying oauth authorisation without HTTP
Daniel Migault <mglt.biz@gmail.com> Wed, 29 April 2020 02:14 UTC
Return-Path: <mglt.biz@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E00F63A0BCE for <oauth@ietfa.amsl.com>; Tue, 28 Apr 2020 19:14:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJZ3EssFTfS7 for <oauth@ietfa.amsl.com>; Tue, 28 Apr 2020 19:14:10 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5470F3A0BCB for <oauth@ietf.org>; Tue, 28 Apr 2020 19:14:10 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id z17so425496oto.4 for <oauth@ietf.org>; Tue, 28 Apr 2020 19:14:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=PWAsq8ftuQEPBUl7GuJJ3MFYHI5jwgBp37Ejrtdft+U=; b=hODqzzju7JMucQ3q3e58OtMfjOYgfkzemjc4185Hhh3pVPvDWQR30r/ak0S0DpeQvx qM7c1bO4DqLvLY1LnZnlAV1H729hAsAmBKQxcklliQqYBJHll7qF9V8o9ymRDBnSqB29 AYFDsHTyx8QYqXm0Hk3L4eMF0SLgSumm174GxStipfBmUfGppxnWa8Apqb+ppbYI0ZxX 1Ncp8ow1pP+guLEe/NZWbbrvuzOIGJVBsMs2nPfuTexDRvyVjkT+GgRtY55Ro5hodacF 6HRoA84NXhoLuYrR3cipxN+NZc6i/8WVetFUPz4FhKeilT8aCzyM/Tp+xCo42kVzL1P1 KOHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=PWAsq8ftuQEPBUl7GuJJ3MFYHI5jwgBp37Ejrtdft+U=; b=HSwukcCcaKrid8e0CXgTOfeFSekOtALNAqvx0ckcwauwQTOdP0INl6VE9GzdpOXtG5 AsEcWjOaqeY3K73rYlsVg3NM1sKKxGpopwInUXk9kIVM7/9VqP0nsqXyh1EzpIymOmRA 2BvFtn2cxDJ6tFHTMY+cKNWrlxz+TEM9SY+KNDkALUIDB1kNXDxSOyIssqpyp19jbScr 3UVUz/YtaLfNpQqH8myPZxLUHH7mKdIDva+skIl3DIqY79aY0gh+JTC8yyguK3p4Hkk4 kmyQ/l2LcGvMqlI2t3+8nyfGPA5/unn1UWOnw5+r4JEdTXhH8cK8BBIcb7hmOhIYfYwE yBzw==
X-Gm-Message-State: AGi0PuY//O3oVqsEA2/HOjt/2Ej0Yj163JUJtURpYVh2KrOtQZw7Ofxd 4R7HP6Tbxw+LHY5dnsIIQkqmwXV9oEgooyFiRqILQxKd
X-Google-Smtp-Source: APiQypIsUjsmdheraQX/5/6fHHsyQ6G41CximnyB6r9ytsriKMvSb1u85Gx7OHrvHjeYM96CkuTxVfCic6mZSBwXFuo=
X-Received: by 2002:a05:6830:1181:: with SMTP id u1mr13270233otq.200.1588126449229; Tue, 28 Apr 2020 19:14:09 -0700 (PDT)
MIME-Version: 1.0
From: Daniel Migault <mglt.biz@gmail.com>
Date: Tue, 28 Apr 2020 22:13:58 -0400
Message-ID: <CAMtgMN2obdnaXQQmUU12hfG3dOvT3H+06jtv7UCNXkxvDKgXdQ@mail.gmail.com>
To: oauth@ietf.org
Cc: Michael Richardson <mcr@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000dd64db05a4648093"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZIv9pqqd7OlG2hXYPa1ZmETL5fk>
Subject: [OAUTH-WG] carrying oauth authorisation without HTTP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 02:14:12 -0000
Hi, I am completely new to oauth and would like to solicit the WG for advice. We are working on the Home Router outsourcing a service in the homenet WG and we are wondering how oauth could be used to improve automation. Our scenario is represented in the figure below: 1. The end user connected to the web interface of the Home Router 2. The Home Router redirects the End User to the service provider where the end user register for that service ( AS ). 3. The AS providing an authorisation token carried to the RS via the Home Router to the RS. The session between the Home router and the RS in our case is not using HTTP but is using TLS. We are wondering if there is a way to carry an authorisation token over a non HTTP session and if RFC8705 "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens" heads in to this direction. I am happy to hear any feed back or comments! Yours, Daniel HTTPS +-----------+ +------------------>| AS |<--------------+ | | | | v +-----------+ v +-------------+ HTTPS +-----------+ TLS +---------+ | User |<------>|Home Router|<--------->| RS | |(Web Browser)| | | | | +-------------+ +-----------+ +---------+ -- Daniel Migault Ericsson 8400 boulevard Decarie Montreal, QC H4P 2N2 Canada Phone: +1 514-452-2160
- [OAUTH-WG] carrying oauth authorisation without H… Daniel Migault
- Re: [OAUTH-WG] carrying oauth authorisation witho… Justin Richer
- Re: [OAUTH-WG] carrying oauth authorisation witho… Neil Madden
- Re: [OAUTH-WG] carrying oauth authorisation witho… Daniel Migault
- Re: [OAUTH-WG] carrying oauth authorisation witho… Daniel Migault