IETF Logo Mail Archive

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Justin Richer <jricher@mitre.org> Tue, 29 July 2014 18:14 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 030781A026E for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 11:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUdYriupfQit for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 11:13:58 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9BBFB1B2A0A for <oauth@ietf.org>; Tue, 29 Jul 2014 11:13:57 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 49B2C1F203A; Tue, 29 Jul 2014 14:13:57 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 34BEB1F0536; Tue, 29 Jul 2014 14:13:57 -0400 (EDT)
Received: from [10.146.15.61] (10.140.19.249) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 29 Jul 2014 14:13:56 -0400
Message-ID: <53D7E430.2070400@mitre.org>
Date: Tue, 29 Jul 2014 14:13:04 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Bill Mills <wmills_92105@yahoo.com>, Paul Madsen <paul.madsen@gmail.com>, Phil Hunt <phil.hunt@oracle.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D6ED5A.10500@mit.edu> <33F1EE39-2BDF-4F3D-B4DD-4AB9848BC4BF@oracle.com> <F9F7D2A9-6E70-47BA-9AF6-8EB799EB28F7@gmail.com> <1406657488.80350.YahooMailNeo@web142801.mail.bf1.yahoo.com>
In-Reply-To: <1406657488.80350.YahooMailNeo@web142801.mail.bf1.yahoo.com>
Content-Type: multipart/alternative; boundary="------------030307020004060400020409"
X-Originating-IP: [10.140.19.249]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/a4bxcDdCBA_1Xj-I4Sqw5ZbX_gQ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 18:14:03 -0000

Agreed on this point -- which is why the only MTI bit in the individual 
draft is "active", which is whether or not the token was any good to 
begin with. There are a set of claims with defined semantics but all are 
optional, and the list is extensible. I think in practice we'll see 
people settle on a set of common ones.

  -- Justin

On 07/29/2014 02:11 PM, Bill Mills wrote:
> This is exactly the same problem space as webfinger, you want to know 
> something about a user and there's a useful set of information you 
> might reasonably query, but in the end the server may have it's own 
> schema of data it returns.  There won't be a single schema that fits 
> all use cases, Any given RS/AS ecosystem may decide they have custom 
> stuff and omit other stuff.  I think the more rigid the MTI schema 
> gets the harder the battle in this case.
>
>
> On Tuesday, July 29, 2014 2:56 AM, Paul Madsen <paul.madsen@gmail.com> 
> wrote:
>
>
> Standardized Introspection will be valuable in NAPPS, where the AS and 
> RS may be in different policy domains.
>
> Even for single policy domains, there are enterprise scenarios where 
> the RS is from a different vendor than the AS, such as when an API 
> gateway validates tokens issued by an 'IdP' . We've necessarily 
> defined our own introspection endpoint and our gateway partners have 
> implemented it, (at the instruction of the customer in question). But 
> of course it's proprietary to us.
>
> Paul
>
> On Jul 28, 2014, at 8:59 PM, Phil Hunt <phil.hunt@oracle.com 
> <mailto:phil.hunt@oracle.com>> wrote:
>
>> That doesn't explain the need for inter-operability. What you've 
>> described is what will be common practice.
>>
>> It's a great open source technique, but that's not a standard.
>>
>> JWT is much different. JWT is a foundational specification that 
>> describes the construction and parsing of JSON based tokens. There is 
>> inter-op with token formats that build on top and there is inter-op 
>> between every communicating party.
>>
>> In OAuth, a site may never implement token introspection nor may it 
>> do it the way you describe.  Why would that be a problem?  Why should 
>> the group spend time on something where there may be no inter-op need.
>>
>> Now that said, if you are in the UMA community.  Inter-op is quite 
>> foundational.  It is very very important. But then maybe the spec 
>> should be defined within UMA?
>>
>> Phil
>>
>> @independentid
>> www.independentid.com <http://www.independentid.com/>
>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>
>>
>>
>> On Jul 28, 2014, at 5:39 PM, Justin Richer <jricher@MIT.EDU 
>> <mailto:jricher@MIT.EDU>> wrote:
>>
>>> It's analogous to JWT in many ways: when you've got the AS and the 
>>> RS separated somehow (different box, different domain, even 
>>> different software vendor) and you need to communicate a set of 
>>> information about the approval delegation from the AS (who has the 
>>> context to know about it) through to the RS (who needs to know about 
>>> it to make the authorization call). JWT gives us an interoperable 
>>> way to do this by passing values inside the token itself, 
>>> introspection gives a way to pass the values by reference via the 
>>> token as an artifact. The two are complementary, and there are even 
>>> cases where you'd want to deploy them together.
>>>
>>>  -- Justin
>>>
>>> On 7/28/2014 8:11 PM, Phil Hunt wrote:
>>>> Could we have some discussion on the interop cases?
>>>>
>>>> Is it driven by scenarios where AS and resource are separate 
>>>> domains? Or may this be only of interest to specific protocols like 
>>>> UMA?
>>>>
>>>> From a technique principle, the draft is important and sound. I am 
>>>> just not there yet on the reasons for an interoperable standard.
>>>>
>>>> Phil
>>>>
>>>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com 
>>>> <mailto:t.broyer@gmail.com>> wrote:
>>>>
>>>>> Yes. This spec is of special interest to the platform we're 
>>>>> building for http://www.oasis-eu.org/
>>>>>
>>>>>
>>>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig 
>>>>> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>>>
>>>>>     Hi all,
>>>>>
>>>>>     during the IETF #90 OAuth WG meeting, there was strong
>>>>>     consensus in
>>>>>     adopting the "OAuth Token Introspection"
>>>>>     (draft-richer-oauth-introspection-06.txt) specification as an
>>>>>     OAuth WG
>>>>>     work item.
>>>>>
>>>>>     We would now like to verify the outcome of this call for
>>>>>     adoption on the
>>>>>     OAuth WG mailing list. Here is the link to the document:
>>>>>     http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>>>>
>>>>>     If you did not hum at the IETF 90 OAuth WG meeting, and have
>>>>>     an opinion
>>>>>     as to the suitability of adopting this document as a WG work item,
>>>>>     please send mail to the OAuth WG list indicating your opinion
>>>>>     (Yes/No).
>>>>>
>>>>>     The confirmation call for adoption will last until August 10,
>>>>>     2014.  If
>>>>>     you have issues/edits/comments on the document, please send these
>>>>>     comments along to the list in your response to this Call for
>>>>>     Adoption.
>>>>>
>>>>>     Ciao
>>>>>     Hannes & Derek
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     OAuth mailing list
>>>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> Thomas Broyer
>>>>> /t?.ma.b?wa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email