Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Thomas Broyer <t.broyer@gmail.com> Wed, 30 July 2014 00:55 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A53F1B2A1F for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 17:55:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZvaNRdwnHlk for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 17:55:23 -0700 (PDT)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C4861B2A34 for <oauth@ietf.org>; Tue, 29 Jul 2014 17:55:22 -0700 (PDT)
Received: by mail-la0-f54.google.com with SMTP id hz20so344697lab.13 for <oauth@ietf.org>; Tue, 29 Jul 2014 17:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8J0BfPjkTYba4BosVWFL1BttnqTfE9p3fnaCWjj9B4g=; b=hCohnMpATJvqqRKupn7/bRhm42lsqN2VMNUgcsw11JyEWSu4HS7IZiZRy68oL4Tuzo yCQ1ce2fZpCB0RjIHDbMS1BsCfLY70Uw+kQ20gJVLRndc8iSVgJkS0JoIVGh/J1cP+Lm ZkFcSEBLuyU5N2cfENhT+U5WKYNOrr9/lcTGALcDluBoSUz81RT8QQY5C3HFdyc61tKZ FqiRicYGCy39R7gq1IPANanvoOGkZN73dtwpOz1OFr/swKgLx0Eebt+gtlL6Q9ipEDEF l4LBtDx3Z6FmouVZ/YH4XuHO3OBo8n0aaNA9z1JrX/tUYQvJbQmln4+NUSqjeqPABvz6 8SXg==
MIME-Version: 1.0
X-Received: by 10.152.30.100 with SMTP id r4mr444633lah.87.1406681720840; Tue, 29 Jul 2014 17:55:20 -0700 (PDT)
Received: by 10.152.113.73 with HTTP; Tue, 29 Jul 2014 17:55:20 -0700 (PDT)
Received: by 10.152.113.73 with HTTP; Tue, 29 Jul 2014 17:55:20 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439ADF7A6F@TK5EX14MBXC293.redmond.corp.microsoft.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com> <CAEayHEPdHyfLGzdb=Go=0L1+K4WEju+9zddekR2YQz=cqtZzeA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439ADF7A6F@TK5EX14MBXC293.redmond.corp.microsoft.com>
Date: Wed, 30 Jul 2014 02:55:20 +0200
Message-ID: <CAEayHEPBwvDhwymRoRrdC51LiUBHita0-Cwxtvtf1LRqT2dokg@mail.gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=089e0158cba0486b2904ff5e9cda
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/_TYarvzE5Sb0B2wo5b_M2hUy-hQ
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 00:55:25 -0000

Try it where? When you're the RS trying to determine whether you should
accept the token or reject it?
Le 30 juil. 2014 02:49, "Mike Jones" <Michael.Jones@microsoft.com> a écrit :

>  Yes, but that’s the simplest thing to determine – try the token and see
> whether it works or not.
>
>
>
> *From:* Thomas Broyer [mailto:t.broyer@gmail.com]
> *Sent:* Tuesday, July 29, 2014 5:43 PM
> *To:* Mike Jones
> *Cc:* <oauth@ietf.org>; George Fletcher; Phil Hunt
> *Subject:* RE: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token
> Introspection" as an OAuth Working Group Item
>
>
>
> Decoding a token with a specific format wouldn't tell you whether the
> token is still live: it could have been revoked before its expiration.
>
> Le 30 juil. 2014 02:16, "Mike Jones" <Michael.Jones@microsoft.com> a
> écrit :
>
> Did you consider standardizing the access token format within that
> deployment so all the parties that needed to could understand it, rather
> requiring an extra round trip to an introspection endpoint so as to be able
> to understand things about it?
>
>
>
> I realize that might or might not be practical in some cases, but I
> haven’t heard that alternative discussed, so I thought I’d bring it up.
>
>
>
> I also second Phil’s comment that it would be good to understand the use
> cases that this is intended to solve before embarking on a particular
> solution path.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George
> Fletcher
> *Sent:* Tuesday, July 29, 2014 3:25 PM
> *To:* Phil Hunt; Thomas Broyer
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token
> Introspection" as an OAuth Working Group Item
>
>
>
> We also have a use case where the AS is provided by a partner and the RS
> is provided by AOL. Being able to have a standardized way of validating and
> getting data about the token from the AS would make our implementation much
> simpler as we can use the same mechanism for all Authorization Servers and
> not have to implement one off solutions for each AS.
>
> Thanks,
> George
>
> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>
>  Could we have some discussion on the interop cases?
>
>
>
> Is it driven by scenarios where AS and resource are separate domains? Or
> may this be only of interest to specific protocols like UMA?
>
>
>
> From a technique principle, the draft is important and sound. I am just
> not there yet on the reasons for an interoperable standard.
>
>
>
> Phil
>
>
> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
>
>  Yes. This spec is of special interest to the platform we're building for
> http://www.oasis-eu.org/
>
>
>
> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
> Hi all,
>
> during the IETF #90 OAuth WG meeting, there was strong consensus in
> adopting the "OAuth Token Introspection"
> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
> work item.
>
> We would now like to verify the outcome of this call for adoption on the
> OAuth WG mailing list. Here is the link to the document:
> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>
> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
> as to the suitability of adopting this document as a WG work item,
> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>
> The confirmation call for adoption will last until August 10, 2014.  If
> you have issues/edits/comments on the document, please send these
> comments along to the list in your response to this Call for Adoption.
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> --
> Thomas Broyer
> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>
>  _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>  _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>