Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Phil Hunt <phil.hunt@oracle.com> Wed, 30 July 2014 00:55 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 123CF1B2A1F for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 17:55:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3GUDKQjteZh1 for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 17:55:00 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 748621B2A20 for <oauth@ietf.org>; Tue, 29 Jul 2014 17:55:00 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s6U0su2r014240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 30 Jul 2014 00:54:57 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s6U0suJU000375 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 30 Jul 2014 00:54:56 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s6U0stHt004698; Wed, 30 Jul 2014 00:54:55 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Jul 2014 17:54:54 -0700
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com> <53D841D3.6020505@mit.edu>
Mime-Version: 1.0 (1.0)
In-Reply-To: <53D841D3.6020505@mit.edu>
Content-Type: multipart/alternative; boundary=Apple-Mail-6937D7E9-177C-4F36-A32B-0F690BC69F14
Content-Transfer-Encoding: 7bit
Message-Id: <311A2204-E968-4657-BD27-58DCD072542A@oracle.com>
X-Mailer: iPhone Mail (11D257)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Tue, 29 Jul 2014 17:54:51 -0700
To: Justin Richer <jricher@mit.edu>
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/bXzikgJU5dCiYAI4BX4AZS6h37o
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 00:55:03 -0000

-100

Phil

> On Jul 29, 2014, at 17:52, Justin Richer <jricher@mit.edu> wrote:
> 
> Reading through this thread, it appears very clear to me that the use cases are very well established by a number of existing implementers who want to work together to build a common standard. I see no reason to delay the work artificially by creating a use case document when such a vast array of understanding and interest already exists. Any use cases and explanations of applications are welcome to be added to the working group draft as it progresses.
> 
>  -- Justin
> 
> 
>> On 7/29/2014 8:16 PM, Mike Jones wrote:
>> Did you consider standardizing the access token format within that deployment so all the parties that needed to could understand it, rather requiring an extra round trip to an introspection endpoint so as to be able to understand things about it?
>>  
>> I realize that might or might not be practical in some cases, but I haven’t heard that alternative discussed, so I thought I’d bring it up.
>>  
>> I also second Phil’s comment that it would be good to understand the use cases that this is intended to solve before embarking on a particular solution path.
>>  
>>                                                             -- Mike
>>  
>> From: OAuth [mailto:oauth-bounces@ietf.org]                 On Behalf Of George Fletcher
>> Sent: Tuesday, July 29, 2014 3:25 PM
>> To: Phil Hunt; Thomas Broyer
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
>>  
>> We also have a use case where the AS is provided by a partner and the RS is provided by AOL. Being able to have a standardized way of validating and getting data about the token from the AS would make our implementation much simpler as we can use the same mechanism for all Authorization Servers and not have to implement one off solutions for each AS.
>> 
>> Thanks,
>> George
>> 
>> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>> Could we have some discussion on the interop cases?
>>  
>> Is it driven by scenarios where AS and resource are separate domains? Or may this be only of interest to specific protocols like UMA?
>>  
>> From a technique principle, the draft is important and sound. I am just not there yet on the reasons for an interoperable standard. 
>>  
>> Phil
>> 
>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
>> 
>> Yes. This spec is of special interest to the platform we're building for http://www.oasis-eu.org/
>>  
>> 
>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>> Hi all,
>> 
>> during the IETF #90 OAuth WG meeting, there was strong consensus in
>> adopting the "OAuth Token Introspection"
>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
>> work item.
>> 
>> We would now like to verify the outcome of this call for adoption on the
>> OAuth WG mailing list. Here is the link to the document:
>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>> 
>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
>> as to the suitability of adopting this document as a WG work item,
>> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>> 
>> The confirmation call for adoption will last until August 10, 2014.  If
>> you have issues/edits/comments on the document, please send these
>> comments along to the list in your response to this Call for Adoption.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>>  
>> -- 
>> Thomas Broyer
>> /tɔ.ma.bʁwa.je/
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>  
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>