Re: [OAUTH-WG] Info on how to implement a server

"Salz, Rich" <rsalz@akamai.com> Sun, 18 August 2019 19:41 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6F21200B8 for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2019 12:41:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0_XtwUjdImq for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2019 12:41:06 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5A841201E4 for <oauth@ietf.org>; Sun, 18 Aug 2019 12:41:06 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x7IJb4Na019161; Sun, 18 Aug 2019 20:41:06 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=TH2tpcL/214BA0dI7CPvzeXXqtgjugEZ0x/E6BhjbSY=; b=Ypzvrl8tb9chDlyHvkM6tufC8zO/3qBIMDV0/nIjBEoa3I8v472MLvLLSdJQef1IvwxW 9oAjG6SxapuckUqNM//JkPEpXLaTA+HPZvjooe9+UKlPoD7zXJKkJtO5lWDvlTCjO3gO gTcbCe6dUQ/l5zo6jE8e5fzW0oJpqAOz2z2IGf1uxZdlz1OWdPk74RRWQ6QaC+9dfdnl RT7ji7HGZNWw81/axkxRX1YK8NXGBFDf8JdQE79q1U4/hRkX0RVGX6Dpw54z2qxaNRlK eHTQKcwOMeZrtxQ/qjWY9usdhvTZk33g2+ifVwKRdT1Ocr+SayVjrzoGxJ0/6c1jd4/+ XA==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 2ue8u6x3uc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 18 Aug 2019 20:41:05 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x7IJWAGq029222; Sun, 18 Aug 2019 12:41:04 -0700
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint5.akamai.com with ESMTP id 2uefj92b3f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 18 Aug 2019 12:41:04 -0700
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sun, 18 Aug 2019 15:41:03 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.005; Sun, 18 Aug 2019 15:41:03 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>, John Bradley <ve7jtb@ve7jtb.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Info on how to implement a server
Thread-Index: AQHVVSB+mqzXXWtHJ0yU+TjhKS0hzqb/7IKAgAAA+4CAAWH9AA==
Date: Sun, 18 Aug 2019 19:41:02 +0000
Message-ID: <74BEF7B5-55AC-4BD6-AEF1-D04DEFE9F0EA@akamai.com>
References: <D3FB5975-2448-445B-8B48-0A46D43E0A99@akamai.com> <bc37895b-b4c9-af54-dbfc-6aa2cd80b75b@ve7jtb.com> <CA+iA6uifvqv=18ZYLf+BmDYhp6ZyEvwv+9mWoL37ALWuqozj4w@mail.gmail.com>
In-Reply-To: <CA+iA6uifvqv=18ZYLf+BmDYhp6ZyEvwv+9mWoL37ALWuqozj4w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1c.0.190812
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.79]
Content-Type: multipart/alternative; boundary="_000_74BEF7B555AC4BD6AEF1D04DEFE9F0EAakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-08-18_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908180216
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:5.22.84,1.0.8 definitions=2019-08-18_08:2019-08-16,2019-08-18 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 priorityscore=1501 lowpriorityscore=0 impostorscore=0 malwarescore=0 mlxscore=0 bulkscore=0 suspectscore=0 spamscore=0 clxscore=1011 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1908180217
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bb42H2HeOuvLgseON1Uf-4fQhZE>
Subject: Re: [OAUTH-WG] Info on how to implement a server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2019 19:41:09 -0000

Thanks for the links, folks.  I’m aware, and sorry for my sloppy terminology.

Imagine a service where anyone with a valid identity is authorized. There are many of these on the net. Collapsing authentication to authorization (“everyone authenticated is authorized”) seems not unreasonable.

But I don’t want to get distracted from my main goal.  Thanks.

From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>;
Date: Saturday, August 17, 2019 at 2:34 PM
To: John Bradley <ve7jtb@ve7jtb.com>;
Cc: "oauth@ietf.org"; <oauth@ietf.org>;
Subject: Re: [OAUTH-WG] Info on how to implement a server

indeed OAuth != identity see https://oauth.net/articles/authentication/<https://urldefense.proofpoint.com/v2/url?u=https-3A__oauth.net_articles_authentication_&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=S3hNRZN-F73VNr2ls-yKN4bJPSuH4w92SmFc1PAvi4M&e=>

Hans.

On Sat, Aug 17, 2019 at 8:31 PM John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:

The openID Connect kind of OAuth server.

OAuth on its own is not designed to be secure for identity federation.

John B.
On 8/17/2019 1:23 PM, Salz, Rich wrote:
What’s the WG consensus (heh) on the best guide to adding OAUTH support to an existing server so that it can act as an identity provider?  Which version of oauth is most widely deployed by relying parties these days?

I want to add OAUTH support to the IETF datatracker.

Thanks for any pointers.  Replies to me will be summarized for the list.

                /r$




_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=mYG4MvYj3IpSidDiigZr4NtmXiZ4uzpxrFAGd2WtoFM&e=>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=mYG4MvYj3IpSidDiigZr4NtmXiZ4uzpxrFAGd2WtoFM&e=>


--
hans.zandbelt@zmartzone.eu<mailto:hans.zandbelt@zmartzone.eu>
ZmartZone IAM - www.zmartzone.eu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.zmartzone.eu&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=QNNK_MY9rFkxOH8kTY5Lb9XzaocnzqHfE2Qy1s1rKIQ&s=rdGZncYUqvlwcXI7_GGrc5Niii46pDWHdpVklsb0Ijg&e=>