Re: [OAUTH-WG] JWT binding for OAuth 2.0
Prabath Siriwardena <prabath@wso2.com> Thu, 16 April 2015 16:06 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED1FD1A8AB9 for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2015 09:06:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPii_BdL31NO for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2015 09:06:08 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B81F31A8915 for <oauth@ietf.org>; Thu, 16 Apr 2015 09:06:08 -0700 (PDT)
Received: by oift201 with SMTP id t201so51485688oif.3 for <oauth@ietf.org>; Thu, 16 Apr 2015 09:06:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=yMH/vyG+vPgRLi1g6+1/nw9AnzZU/vHDaOvy/RwS7LM=; b=XL/Vb+JV8vh1d1SLTNyADz4fZ8iXTQ0maUn40pQQuBULYICzT2wgqajfc7r6wJlke7 VefUoM90CGsKpD7FnIvgDAKSJVixTgxIBOzj0jlRVKhLHj6nizspOsnXboCQIPhGvcKy lkPLsGh1LePITdDtUggH6CU8LTq+ikOLisecw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=yMH/vyG+vPgRLi1g6+1/nw9AnzZU/vHDaOvy/RwS7LM=; b=fhw8oE9SEPwfN9OkQVogn6g50/JY5BsXXey6ERS2s6AqJokLc1expeq8Py7hBuZ0I+ /sJFjDFFNsayFvc6MXCmw4EGSwzBYUtQWxRDr+rcfYwU/cPnSwEnFh1BMtMFj2VUNz95 QFFwmrJdOcFM3NL2hMMrfR7+XB4JuSJlFarcwKwgule0LHWwuizk1Sp0ATtjzag98cLD IU3/DbDoP3uxsIagT0uG84XfzKMb3RydNpxqP24A8P1ZieI6PnrwFmxfWvD8NFIk1BL4 xl9vSKTMGC4qwXviXWEP2qIAHjTId1Q9qM+2FOmG8kSV8N3Q+Qi/cvHW8AO3GsjslbTj N1HQ==
X-Gm-Message-State: ALoCoQkkBGOMXkkqbf+UgmJhOG9JVYDZ4utE4MZG4ydbDHjgUaZpojO99j3JWAt2hXl7/nf3FDtx
MIME-Version: 1.0
X-Received: by 10.202.230.11 with SMTP id d11mr20801545oih.6.1429200368002; Thu, 16 Apr 2015 09:06:08 -0700 (PDT)
Received: by 10.202.72.198 with HTTP; Thu, 16 Apr 2015 09:06:07 -0700 (PDT)
In-Reply-To: <552E76E4.70409@gmx.net>
References: <CAJV9qO-PsiNOdfBAf9k0VJ7+eGkE_g_gbygdCbGMv2UT56Ld=g@mail.gmail.com> <A0FFB94C-1EDB-41B9-B1E2-6943B078145F@ve7jtb.com> <CAJV9qO8KJk07Hs7X0tE2UKxeQNA3XaQO2uOF5xfVz0eDd8RgrA@mail.gmail.com> <422C5670-7D2D-4E1C-9E06-74CCB9054260@ve7jtb.com> <CAJV9qO-u8dRB9Rs5Le2GyiVa+eS7U_3_mAAn=5qZz7HQLL=qdw@mail.gmail.com> <552E1E60.8010602@gmx.net> <CAJV9qO9r+xzfVqTsbmGmuhVLg9fsy0trRiaYjPLnOa3JJJQbDw@mail.gmail.com> <552E76E4.70409@gmx.net>
Date: Thu, 16 Apr 2015 09:06:07 -0700
Message-ID: <CAJV9qO_PPJJGt=CvOyy-91qR580Y3rTWE+FHJWALDQocTY4m8w@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a1140761a3f7d490513d9a4a6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/avlGSAhoMzd6Y8Er-lCdQsdPiiA>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 16:06:12 -0000
Sure - I will come up with draft proposal for this... Thanks & regards, -Prabath On Wed, Apr 15, 2015 at 7:34 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Although I am not a huge fan of SOAP feel free to write a document and > make it available to the group so that we can look at the details. > > On 04/15/2015 01:30 PM, Prabath Siriwardena wrote: > > Hi Hannes, > > > > I still think its equally important to have a transport independent > > binding .. > > > > If you look at the SOAP world, WS-Security is self-contained in the > > message itself.. and SAML SOAP binding is also another example... > > > > Thanks & regards, > > -Prabath > > > > > > On Wed, Apr 15, 2015 at 1:16 AM, Hannes Tschofenig > > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: > > > > Hi Prabath, > > > > the reason we have documents that describe the transport of bearer > > tokens/proof-of-possession tokens over the different transports is a > > task is more than just conveying a JWT over some protocol. > > > > There are various documents that specify the transport of OAuth > access > > tokens over some protocol: > > > > * Bearer Tokens over HTTPS: > > https://tools.ietf.org/html/rfc6750 > > > > * Proof-of-Possession Tokens over TURN > > http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13 > > > > * Bearer Tokens over SASL: > > https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19 > > > > * Bearer Tokens over CoAP: > > https://tools.ietf.org/html/draft-tschofenig-ace-oauth-bt-01 > > > > * OAuth over SIP: > > https://tools.ietf.org/html/draft-yusef-sipcore-sip-oauth-02 > > > > * Then, there is all the work on proof-of-possession tokens that > > requires thoughts on how to tie the access token to the request (see > > http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01 > or > > token binding at > > https://tools.ietf.org/html/draft-ietf-tokbind-protocol-00) > > > > If you look at these documents then you will see that the > > characteristics of the underlying protocol matter a lot from a > security > > point of view. There are also encoding and discovery related aspects > > that need to be taken into account as well. > > > > If someone wants to figure out how to carry OAuth access tokens over > > MQTT then they will have to figure out whether there are some > additional > > considerations to take into account. > > > > What we should probably doing in this group is to write a guidance > > document for using OAuth over <<foo>>. > > > > Ciao > > Hannes > > > > On 04/15/2015 12:02 AM, Prabath Siriwardena wrote: > > > It can be a JSON payload over JMS or even MQTT.. > > > > > > I have seen some effort to create an MQTT binding for OAuth 2.0 - > but > > > then again for each transport we need to have a binding.. > > > > > > But - creating a message level binding would be much better IMHO.. > > > > > > Thanks & regards, > > > -Prabath > > > > > > On Tue, Apr 14, 2015 at 2:55 PM, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com> > > > <mailto:ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>> wrote: > > > > > > Most of the pub sub things I have seen use HTTP transport. Do > you > > > have a pointer to the protocol? > > > > > >> On Apr 14, 2015, at 6:48 PM, Prabath Siriwardena < > prabath@wso2.com <mailto:prabath@wso2.com> > > >> <mailto:prabath@wso2.com <mailto:prabath@wso2.com>>> wrote: > > >> > > >> Thanks John for the pointer - will have look.. > > >> > > >> I am looking this for a pub/sub scenario.. Having JWT binding > > >> would benefit that.. > > >> > > >> Also - why I want access token to be inside a JWT is - when we > > >> send a JSON payload in this case, we already have the JWT > envelope > > >> and the access token needs to be carried inside.. > > >> > > >> Thanks & regards, > > >> -Prabath > > >> > > >> > > >> > > >> > > >> > > >> On Tue, Apr 14, 2015 at 2:41 PM, John Bradley < > ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com> > > >> <mailto:ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>> wrote: > > >> > > >> There is a OAuth binding to > > >> SASL > https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19 > > >> > > >> Google supports it for IMAP/SMTP, I think the latest iOS > and > > >> OSX mail client updates use it rather than passwords for > Google. > > >> I also noticed Outlook on Android using it. > > >> > > >> The access token might be a signed or encrypted JWT > itself. I > > >> don’t know that wrapping it again necessarily helps. > > >> > > >> Yes we should have bindings to other non http protocols. > > >> > > >> Is there something specific that you are looking for that > is > > >> not covered by SASL? > > >> > > >> John B. > > >> > > >> > > >> > > >>> On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena > > >>> <prabath@wso2.com <mailto:prabath@wso2.com> <mailto: > prabath@wso2.com > > <mailto:prabath@wso2.com>>> wrote: > > >>> > > >>> At the moment we only HTTP binding to transport the > access > > >>> token (please correct me if not).. > > >>> > > >>> This creates a dependency on the transport. > > >>> > > >>> How about creating a JWT binding for OAuth 2.0..? We can > > >>> transport the access token as an encrypted JWT header > > >>> parameter..? > > >>> > > >>> > > >>> Thanks & Regards, > > >>> Prabath > > >>> > > >>> Twitter : @prabath > > >>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > >>> > > >>> Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950> > > <tel:%2B1%20650%20625%207950> > > >>> > > >>> http://blog.facilelogin.com < > http://blog.facilelogin.com/> > > >>> http://blog.api-security.org < > http://blog.api-security.org/> > > >>> _______________________________________________ > > >>> OAuth mailing list > > >>> OAuth@ietf.org <mailto:OAuth@ietf.org> > > <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>> > > >>> https://www.ietf.org/mailman/listinfo/oauth > > >> > > >> > > >> > > >> > > >> -- > > >> Thanks & Regards, > > >> Prabath > > >> > > >> Twitter : @prabath > > >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > >> > > >> Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950> > > <tel:%2B1%20650%20625%207950> > > >> > > >> http://blog.facilelogin.com <http://blog.facilelogin.com/> > > >> http://blog.api-security.org <http://blog.api-security.org/> > > > > > > > > > > > > > > > -- > > > Thanks & Regards, > > > Prabath > > > > > > Twitter : @prabath > > > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > > > > > Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950> > > > > > > http://blog.facilelogin.com > > > http://blog.api-security.org > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > > > > > > -- > > Thanks & Regards, > > Prabath > > > > Twitter : @prabath > > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > > > Mobile : +1 650 625 7950 > > > > http://blog.facilelogin.com > > http://blog.api-security.org > > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
- [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Bill Mills
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena