Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
William Mills <wmills@yahoo-inc.com> Thu, 19 April 2012 23:21 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FFD021F85D0 for <oauth@ietfa.amsl.com>; Thu, 19 Apr 2012 16:21:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.27
X-Spam-Level:
X-Spam-Status: No, score=-17.27 tagged_above=-999 required=5 tests=[AWL=0.328, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kk50lwD-r53n for <oauth@ietfa.amsl.com>; Thu, 19 Apr 2012 16:21:13 -0700 (PDT)
Received: from nm17.bullet.mail.bf1.yahoo.com (nm17.bullet.mail.bf1.yahoo.com [98.139.212.176]) by ietfa.amsl.com (Postfix) with SMTP id C429221F85C4 for <oauth@ietf.org>; Thu, 19 Apr 2012 16:21:12 -0700 (PDT)
Received: from [98.139.214.32] by nm17.bullet.mail.bf1.yahoo.com with NNFMP; 19 Apr 2012 23:21:11 -0000
Received: from [98.139.212.244] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 19 Apr 2012 23:21:11 -0000
Received: from [127.0.0.1] by omp1053.mail.bf1.yahoo.com with NNFMP; 19 Apr 2012 23:21:11 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 935252.93862.bm@omp1053.mail.bf1.yahoo.com
Received: (qmail 65013 invoked by uid 60001); 19 Apr 2012 23:21:11 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1334877671; bh=5CXMzbnd5/k2/nZktRKe4x2G82/C/Rs4yd7R1WDBU48=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=oGix/TH0lgvLOL7CPod3aj2I9uFujorX3n9/VqweTGtVaa6fUzwShG3m08V9d8b6HRrc0GuPB8CFIXu5vYM3xgkfFHkLoH3C12lubNoCEqzGsgC1P2qXaWZXZXsQTgv5eSIyUcTP7WvnWEfQNRLU4fCNe4Q2Oba8Fe5eaxqqL7o=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=XwS0g1qSz8JXkD5WIY3IjX1Y63/hjxssg5owt+lW93CVB5dxs8aOKRk5jr1LSjWe1w3V+dtmbL0jMuuIfemm8kjAq52Xqk9/lmBjVsd2Gcb2iaCvPSP7A591If2LjRTmugFmO2C16dyT6mRfP/2XeC0vVTfnp4TgwljiB+6x4Ho=;
X-YMail-OSG: HPoCs.MVM1nHpWJbUJCkQT8KIt3PLTaeJsdZCuYKKqgRR.U NTC51Q4uDtdKU03Kj1tEwKxHdjU19iuOdzxlsUJ0X.sKArKMGTzYuSTYOwiN 3nAP6REgBFpTlQCm7h.L4TaJADmox1rb7rdxpLigtN8PQv8d1_LXD9mbji4z MmCdS9Ib8585wqaDpuZeEnTuyVHQ5I4filJHwn7mfXlQMGyeo_5Xd7VovDaJ FVAAQP69hQbo1UoHZ0_e7MKXmYGScn.Szoi94Zurd7hKLpL2LTPPG2qaQRGa aYANO_ibKALhF_cEfAM08QnxR2g0pX0fdNpGEqR96G7kEJoMDkZ0ylRs7pDP QywqDyMRSXVh8u_2Xif8qyX0z4pkSlm4W_FcLwFECQiTMPlYc.pUJDQ1RusW Mp0DA06e4flMA6lPwDopJgVOFxvoVaCuwQV_Q0hWp7lhfOG_9Rtkyfw--
Received: from [209.131.62.120] by web31802.mail.mud.yahoo.com via HTTP; Thu, 19 Apr 2012 16:21:10 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.118.349524
References: <5jrlua1y80mdxtvpmygf5tp1.1334872982862@email.android.com>
Message-ID: <1334877670.64827.YahooMailNeo@web31802.mail.mud.yahoo.com>
Date: Thu, 19 Apr 2012 16:21:10 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Paul Madsen <paul.madsen@gmail.com>, "adam.lewis@motorolasolutions.com" <adam.lewis@motorolasolutions.com>, "jricher@mitre.org" <jricher@mitre.org>
In-Reply-To: <5jrlua1y80mdxtvpmygf5tp1.1334872982862@email.android.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1036955950-64407182-1334877670=:64827"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2012 23:21:14 -0000
Various additional anti-abuse controls can be applied like CAPTCHA if you have a full browser to leverage. Much harder to get that flexibility in a fixed client UI. >________________________________ > From: Paul Madsen <paul.madsen@gmail.com> >To: adam.lewis@motorolasolutions.com; jricher@mitre.org >Cc: oauth@ietf.org >Sent: Thursday, April 19, 2012 3:03 PM >Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token > > >Using the browser as part of the AS interaction allows you to more easily collect the users consent. > > >Once you get the tokens based on that consent, everything is 'RESTful' > > >-------- Original message -------- >Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token >From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> >To: Justin Richer <jricher@mitre.org> >CC: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token > > > >Hi Justin, > >There is one thing I have not understood about the whole external browser vs. embedded browser guidance … and that is, why is *any* browser needed? Java for example has an HTTP library, and OAuth is RESTful. So why is it necessary to require the web browser at all, whether external or embedded? Why can’t my native client make RESTful API calls to the AS and RS natively? > >Tx! >adam > >From:Justin Richer [mailto:jricher@mitre.org] >Sent: Friday, April 13, 2012 11:38 AM >To: Lewis Adam-CAL022 >Cc: oauth@ietf.org >Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token > >If the mobile device has a web browser (such as a smart phone), then this is pretty easy, and you've got a couple of options. > >One of the best options when the token is on behalf of an end user is, in my opinion, to use the authorization code flow like this: First, register what's called a "public client" with your server -- so you'll get an ID but not a client secret. With that client ID, register a custom-scheme callback URI, like "myapp://oauthcallback", and register your app on the device as the handler for "myapp". > >In your application, to start things off, you fire off a web browser to the authorization server's authorization endpoint. The user logs in to the authorization server through the web browser, approves this copy of your app, and gets redirected to "myapp://oauthcallback?code=basdf132". Your app grabs the "myapp://" url and plucks the authorization code off the end of it. Your app then takes that code and sends it in the background to the token endpoint to exchange for a token. > >Some key points: > >1) You need to have access to a web browser on the platform, and it's considered best practice to push the user to the external browser application on the platform instead of embedding one. There are a couple paragraphs in the spec's security considerations section that talk about this. >2) Your app is "public" because you can't publish it with a secret at configuration time. It can, however, keep the tokens secret at runtime. >3) You need to be very careful with how you store the tokens on the device -- they need to be in a trusted space where other apps on the device can't sniff them out. >4) Another app can try to register "myapp://" and intercept your code on the way through, so make sure your codes are all one time use and short lived. > >None of this is just theoretically possible, people are doing it today. What libraries and stuff you'd be after depends wholly on your platform (both server and client side). > > -- Justin > >On 04/12/2012 03:01 PM, Lewis Adam-CAL022 wrote: >Hi all, > >I’ve been talking to some of you off line about this already, but I need some help in terms of implementation. I would like to use OAuth as a means to get either a JWT or SAML token to a client running on a handheld device. This is something that I’m looking to prototype (as part of a larger project) beginning this week. So, it is important to me to understand the divide between what is theoretically possible and what is actually possible. > >Anybody aware of any implementations out there, either vendor or open source, that I can use for this? > >Tx! >adam > > > > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Justin Richer
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token John Bradley
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Paul Madsen
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Brian Campbell
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token John Bradley
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token William Mills
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Brian Campbell
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Paul Madsen
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Justin Richer