IETF Logo Mail Archive

Re: [OAUTH-WG] December 27, 2012 OAuth Release

Mike Jones <Michael.Jones@microsoft.com> Fri, 04 January 2013 22:36 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F4C21F8B06 for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 14:36:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TsgvmVkhY0VS for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 14:36:03 -0800 (PST)
Received: from NA01-BL2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.30]) by ietfa.amsl.com (Postfix) with ESMTP id E454A21F8AE5 for <oauth@ietf.org>; Fri, 4 Jan 2013 14:36:02 -0800 (PST)
Received: from BY2FFO11FD005.protection.gbl (10.1.15.200) by BY2FFO11HUB007.protection.gbl (10.1.14.165) with Microsoft SMTP Server (TLS) id 15.0.586.12; Fri, 4 Jan 2013 22:35:53 +0000
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD005.mail.protection.outlook.com (10.1.14.126) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Fri, 4 Jan 2013 22:35:53 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.24]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0318.003; Fri, 4 Jan 2013 22:35:15 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Mills <wmills_92105@yahoo.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] December 27, 2012 OAuth Release
Thread-Index: Ac3lYOVg59Z0pf6IRui17x5NiyOcmwACDrsAAVhycSA=
Date: Fri, 04 Jan 2013 22:35:14 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943669FE2AD@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943669B0A1E@TK5EX14MBXC283.redmond.corp.microsoft.com> <1356746794.51868.YahooMailNeo@web31807.mail.mud.yahoo.com>
In-Reply-To: <1356746794.51868.YahooMailNeo@web31807.mail.mud.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.75]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943669FE2ADTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(164054002)(377454001)(15202345001)(50986001)(5343635001)(5343655001)(56776001)(33656001)(49866001)(55846006)(56816002)(4396001)(46102001)(74502001)(74662001)(44976002)(16297215001)(54316002)(77982001)(51856001)(53806001)(16406001)(16236675001)(15395725002)(31966008)(47446002)(47736001)(76482001)(512954001)(59766001)(5343645001)(47976001)(54356001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB007; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0716E70AB6
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2013 22:36:04 -0000

There's no generic OAuth way to do this.  There is a way to do it in OpenID Connect - see request_object_signing_alg, userinfo_signed_response_alg, and id_token_signed_response_alg in http://openid.net/specs/openid-connect-registration-1_0-13.html#anchor3 and userinfo_signing_alg_values_supported, id_token_signing_alg_values_supported, and request_object_signing_alg_values_supported in http://openid.net/specs/openid-connect-discovery-1_0-11.html#anchor9.

                                                            -- Mike

From: William Mills [mailto:wmills_92105@yahoo.com]
Sent: Friday, December 28, 2012 6:07 PM
To: Mike Jones; oauth@ietf.org
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release

Mike,

I've read through the JWT spec and I'm curious about something.  How do I specify a signature requirement as the server?  I didn't see it but I probably just missed it.  I'm thinking that with very little work a JWT can do everything that MAC does with greater flexibility, *BUT* the server needs to be able to require a signed usage.  Something I never liked about OAuth 1.0 is that the server must support all valid signature types, even PLAINTEXT, so I want to be able to avoid that.

It would require the client to be able to include client generated stuff in the JWT.

Thanks,

-bill

v2.23.0 | Report a Bug | By Email