Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
Justin Richer <jricher@mitre.org> Tue, 29 July 2014 18:14 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 030781A026E for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 11:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUdYriupfQit for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 11:13:58 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9BBFB1B2A0A for <oauth@ietf.org>; Tue, 29 Jul 2014 11:13:57 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 49B2C1F203A; Tue, 29 Jul 2014 14:13:57 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 34BEB1F0536; Tue, 29 Jul 2014 14:13:57 -0400 (EDT)
Received: from [10.146.15.61] (10.140.19.249) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 29 Jul 2014 14:13:56 -0400
Message-ID: <53D7E430.2070400@mitre.org>
Date: Tue, 29 Jul 2014 14:13:04 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Bill Mills <wmills_92105@yahoo.com>, Paul Madsen <paul.madsen@gmail.com>, Phil Hunt <phil.hunt@oracle.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D6ED5A.10500@mit.edu> <33F1EE39-2BDF-4F3D-B4DD-4AB9848BC4BF@oracle.com> <F9F7D2A9-6E70-47BA-9AF6-8EB799EB28F7@gmail.com> <1406657488.80350.YahooMailNeo@web142801.mail.bf1.yahoo.com>
In-Reply-To: <1406657488.80350.YahooMailNeo@web142801.mail.bf1.yahoo.com>
Content-Type: multipart/alternative; boundary="------------030307020004060400020409"
X-Originating-IP: [10.140.19.249]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/a4bxcDdCBA_1Xj-I4Sqw5ZbX_gQ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 18:14:03 -0000
Agreed on this point -- which is why the only MTI bit in the individual draft is "active", which is whether or not the token was any good to begin with. There are a set of claims with defined semantics but all are optional, and the list is extensible. I think in practice we'll see people settle on a set of common ones. -- Justin On 07/29/2014 02:11 PM, Bill Mills wrote: > This is exactly the same problem space as webfinger, you want to know > something about a user and there's a useful set of information you > might reasonably query, but in the end the server may have it's own > schema of data it returns. There won't be a single schema that fits > all use cases, Any given RS/AS ecosystem may decide they have custom > stuff and omit other stuff. I think the more rigid the MTI schema > gets the harder the battle in this case. > > > On Tuesday, July 29, 2014 2:56 AM, Paul Madsen <paul.madsen@gmail.com> > wrote: > > > Standardized Introspection will be valuable in NAPPS, where the AS and > RS may be in different policy domains. > > Even for single policy domains, there are enterprise scenarios where > the RS is from a different vendor than the AS, such as when an API > gateway validates tokens issued by an 'IdP' . We've necessarily > defined our own introspection endpoint and our gateway partners have > implemented it, (at the instruction of the customer in question). But > of course it's proprietary to us. > > Paul > > On Jul 28, 2014, at 8:59 PM, Phil Hunt <phil.hunt@oracle.com > <mailto:phil.hunt@oracle.com>> wrote: > >> That doesn't explain the need for inter-operability. What you've >> described is what will be common practice. >> >> It's a great open source technique, but that's not a standard. >> >> JWT is much different. JWT is a foundational specification that >> describes the construction and parsing of JSON based tokens. There is >> inter-op with token formats that build on top and there is inter-op >> between every communicating party. >> >> In OAuth, a site may never implement token introspection nor may it >> do it the way you describe. Why would that be a problem? Why should >> the group spend time on something where there may be no inter-op need. >> >> Now that said, if you are in the UMA community. Inter-op is quite >> foundational. It is very very important. But then maybe the spec >> should be defined within UMA? >> >> Phil >> >> @independentid >> www.independentid.com <http://www.independentid.com/> >> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >> >> >> >> On Jul 28, 2014, at 5:39 PM, Justin Richer <jricher@MIT.EDU >> <mailto:jricher@MIT.EDU>> wrote: >> >>> It's analogous to JWT in many ways: when you've got the AS and the >>> RS separated somehow (different box, different domain, even >>> different software vendor) and you need to communicate a set of >>> information about the approval delegation from the AS (who has the >>> context to know about it) through to the RS (who needs to know about >>> it to make the authorization call). JWT gives us an interoperable >>> way to do this by passing values inside the token itself, >>> introspection gives a way to pass the values by reference via the >>> token as an artifact. The two are complementary, and there are even >>> cases where you'd want to deploy them together. >>> >>> -- Justin >>> >>> On 7/28/2014 8:11 PM, Phil Hunt wrote: >>>> Could we have some discussion on the interop cases? >>>> >>>> Is it driven by scenarios where AS and resource are separate >>>> domains? Or may this be only of interest to specific protocols like >>>> UMA? >>>> >>>> From a technique principle, the draft is important and sound. I am >>>> just not there yet on the reasons for an interoperable standard. >>>> >>>> Phil >>>> >>>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com >>>> <mailto:t.broyer@gmail.com>> wrote: >>>> >>>>> Yes. This spec is of special interest to the platform we're >>>>> building for http://www.oasis-eu.org/ >>>>> >>>>> >>>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig >>>>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> during the IETF #90 OAuth WG meeting, there was strong >>>>> consensus in >>>>> adopting the "OAuth Token Introspection" >>>>> (draft-richer-oauth-introspection-06.txt) specification as an >>>>> OAuth WG >>>>> work item. >>>>> >>>>> We would now like to verify the outcome of this call for >>>>> adoption on the >>>>> OAuth WG mailing list. Here is the link to the document: >>>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/ >>>>> >>>>> If you did not hum at the IETF 90 OAuth WG meeting, and have >>>>> an opinion >>>>> as to the suitability of adopting this document as a WG work item, >>>>> please send mail to the OAuth WG list indicating your opinion >>>>> (Yes/No). >>>>> >>>>> The confirmation call for adoption will last until August 10, >>>>> 2014. If >>>>> you have issues/edits/comments on the document, please send these >>>>> comments along to the list in your response to this Call for >>>>> Adoption. >>>>> >>>>> Ciao >>>>> Hannes & Derek >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thomas Broyer >>>>> /t?.ma.b?wa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Confirmation: Call for Adoption of "OA… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mark Dobrinic
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Paul Madsen
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell