IETF Logo Mail Archive

Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token

Justin Richer <jricher@mitre.org> Fri, 13 April 2012 16:39 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19A9711E8075 for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 09:39:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKSaFmJJFcUB for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 09:39:00 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id BF01D11E8073 for <oauth@ietf.org>; Fri, 13 Apr 2012 09:38:59 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 2110D21B13FD; Fri, 13 Apr 2012 12:38:57 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 1404921B13F9; Fri, 13 Apr 2012 12:38:57 -0400 (EDT)
Received: from [129.83.50.12] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.283.3; Fri, 13 Apr 2012 12:38:56 -0400
Message-ID: <4F885680.5090801@mitre.org>
Date: Fri, 13 Apr 2012 12:38:24 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120310 Thunderbird/11.0
MIME-Version: 1.0
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
References: <59E470B10C4630419ED717AC79FCF9A906E74E@CH1PRD0410MB369.namprd04.prod.outlook.com>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A906E74E@CH1PRD0410MB369.namprd04.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------090206040803070703090100"
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2012 16:39:02 -0000

If the mobile device has a web browser (such as a smart phone), then 
this is pretty easy, and you've got a couple of options.

One of the best options when the token is on behalf of an end user is, 
in my opinion, to use the authorization code flow like this: First, 
register what's called a "public client" with your server -- so you'll 
get an ID but not a client secret. With that client ID, register a 
custom-scheme callback URI, like "myapp://oauthcallback", and register 
your app on the device as the handler for "myapp".

In your application, to start things off, you fire off a web browser to 
the authorization server's authorization endpoint. The user logs in to 
the authorization server through the web browser, approves this copy of 
your app, and gets redirected to "myapp://oauthcallback?code=basdf132". 
Your app grabs the "myapp://" url and plucks the authorization code off 
the end of it. Your app then takes that code and sends it in the 
background to the token endpoint to exchange for a token.

Some key points:

1) You need to have access to a web browser on the platform, and it's 
considered best practice to push the user to the external browser 
application on the platform instead of embedding one. There are a couple 
paragraphs in the spec's security considerations section that talk about 
this.
2) Your app is "public" because you can't publish it with a secret at 
configuration time. It can, however, keep the tokens secret at runtime.
3) You need to be very careful with how you store the tokens on the 
device -- they need to be in a trusted space where other apps on the 
device can't sniff them out.
4) Another app can try to register "myapp://" and intercept your code on 
the way through, so make sure your codes are all one time use and short 
lived.

None of this is just theoretically possible, people are doing it today. 
What libraries and stuff you'd be after depends wholly on your platform 
(both server and client side).

  -- Justin

On 04/12/2012 03:01 PM, Lewis Adam-CAL022 wrote:
>
> Hi all,
>
> I've been talking to some of you off line about this already, but I 
> need some help in terms of implementation.  I would like to use OAuth 
> as a means to get either a JWT or SAML token to a client running on a 
> handheld device.  This is something that I'm looking to prototype (as 
> part of a larger project) beginning this week.  So, it is important to 
> me to understand the divide between what is theoretically possible and 
> what is actually possible.
>
> Anybody aware of any implementations out there, either vendor or open 
> source, that I can use for this?
>
> Tx!
> adam
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email