Re: [OAUTH-WG] Using Oauth2 token to SOAP web services

Guang Yang <guang.g.yang@oracle.com> Wed, 28 March 2012 00:32 UTC

Return-Path: <guang.g.yang@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B9A021F85B1 for <oauth@ietfa.amsl.com>; Tue, 27 Mar 2012 17:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.9
X-Spam-Level:
X-Spam-Status: No, score=-9.9 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jy1IZAU1F924 for <oauth@ietfa.amsl.com>; Tue, 27 Mar 2012 17:32:23 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by ietfa.amsl.com (Postfix) with ESMTP id 3856621F85AD for <oauth@ietf.org>; Tue, 27 Mar 2012 17:32:23 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q2S0WLWD026535 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Mar 2012 00:32:22 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q2S0WKoY025488 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Mar 2012 00:32:21 GMT
Received: from abhmt115.oracle.com (abhmt115.oracle.com [141.146.116.67]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q2S0WKHi008429; Tue, 27 Mar 2012 19:32:20 -0500
Received: from [192.168.1.100] (/111.161.36.99) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 27 Mar 2012 17:32:20 -0700
References: <704876DE7EC20A49B6D0A5892068B0130B093AC1FD@DFW1MBX10.mex07a.mlsrvr.com>
In-Reply-To: <704876DE7EC20A49B6D0A5892068B0130B093AC1FD@DFW1MBX10.mex07a.mlsrvr.com>
Mime-Version: 1.0 (iPad Mail 8J2)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-2-252741370"
Message-Id: <DC4208DB-E834-401E-865F-2F5856FDA69B@oracle.com>
X-Mailer: iPad Mail (8J2)
From: Guang Yang <guang.g.yang@oracle.com>
Date: Wed, 28 Mar 2012 08:32:19 +0800
To: Jay Thorne <jthorne@layer7tech.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-CT-RefId: str=0001.0A090202.4F725C16.006B,ss=1,re=-2.300,fgs=0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using Oauth2 token to SOAP web services
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 00:32:24 -0000

Thank you. Actually I am looking for a standard spec defines how to put the access token in soap request. I know several vendors in the industry have their solution of it but none of them is following a public standardization. So could you please do me a favor on letting me know how your product does for soap? Appreciate for your help.

To the community, according recent emails back and force looks like we agree that it makes sense to have oauth enabled for soap, but nobody is giving a suggestion how to do it except using saml. I will appreciate to hear more suggestions before choosing a private way of my organization.

Thanks a lot,
Grant.
Oracle Communications, SDP

On Mar 28, 2012, at 4:38 AM, Jay Thorne <jthorne@layer7tech.com> wrote:

> http://www.layer7tech.com/
> 
>  
> 
> http://www.layer7tech.com/products/oauth-toolkit
> 
>  
> 
> Yes, we can work with OAuth2 in SOAP context. Let me know if you want to hear more about it.
> 
>  
> 
>  
> 
> --
> 
> Jay Thorne, Director of Development, Tactical Group
> 
> Layer 7 Technologies t: 778 329 9974 c:604 836 7257
> 
>  
> 
> From: Chris Dryden 
> Sent: Tuesday, March 27, 2012 1:04 PM
> To: Jay Thorne
> Subject: FW: [OAUTH-WG] Using Oauth2 token to SOAP web services
> 
>  
> 
> Jay, this message was posted to the OAuth working group today. I have seen someone else asking for the same thing -- OAuth tokens in a SOAP context. This seems like our area of expertise, doesn't it?
> 
>  
> 
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Grant Yang
> Sent: Wednesday, March 14, 2012 10:41 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Using Oauth2 token to SOAP web services
> 
>  
> 
> Hi all,
> 
>  
> 
> We were discussing the possibility to use Oauth2 token on SOAP in our product.
> 
>  
> 
> The preferred way in mentioned in RFC is of course to put it to HTTP Authorization header, but in this case it will beyond the scope of SOAP stack and I am not sure it shall be the correct way to go. It is also recognized that there is some implementation (such as salesforce) is using some SOAP header (“sessionId”) to put this token, but it looks like a private implementation and I did not find any specification supporting it.
> 
>  
> 
> Could any experts here illustrate any organization or forum is working on using Oauth2 token for SOAP request? As there are quite some legacy SOAP based web services, hopefully it is a question makes sense for you as well.
> 
>  
> 
> Thoughts?
> 
>  
> 
> Grant Yang
> 
> Architect, SDP of ORACLE Communications
> 
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth