Re: [OAUTH-WG] Adding a SAML 2 token type to the OAuth Token Exchange spec

Vladimir Dzhuvinov <vladimir@connect2id.com> Wed, 04 October 2017 06:13 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F3A3132D51 for <oauth@ietfa.amsl.com>; Tue, 3 Oct 2017 23:13:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.78
X-Spam-Level:
X-Spam-Status: No, score=0.78 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1jBBkvBV9mj for <oauth@ietfa.amsl.com>; Tue, 3 Oct 2017 23:13:02 -0700 (PDT)
Received: from p3plsmtpa09-01.prod.phx3.secureserver.net (p3plsmtpa09-01.prod.phx3.secureserver.net [173.201.193.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F17CD1320D9 for <oauth@ietf.org>; Tue, 3 Oct 2017 23:13:01 -0700 (PDT)
Received: from [192.168.0.103] ([78.130.190.73]) by :SMTPAUTH: with SMTP id zcvTdZHRWLYnizcvUdymmd; Tue, 03 Oct 2017 23:13:01 -0700
To: oauth@ietf.org
References: <CY4PR21MB05049AF48AB53010817C8521F5720@CY4PR21MB0504.namprd21.prod.outlook.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <34a5f621-3ec1-d0c4-b669-e894662bb2ff@connect2id.com>
Date: Wed, 4 Oct 2017 09:12:58 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <CY4PR21MB05049AF48AB53010817C8521F5720@CY4PR21MB0504.namprd21.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080201060101070505000004"
X-CMAE-Envelope: MS4wfJOrEJsO7f/mkyzAaOQL4CMXmmV84k3wI1i8uw+7tsDJZ0jfO6IKtijhWT3gZTm9AjXqOpNpV2jvfHgGhVzPAWhTnllYqDw0fJDJkEORA9+7ZMUzzsxQ 07FeDJvvm9I2KbfDBhv1lj3E6GZgUUtZQ+ed7a3Eta77G3tC2xIyDGFg
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/c5W6KH639L-wyCu-2J40nVQ-zT4>
Subject: Re: [OAUTH-WG] Adding a SAML 2 token type to the OAuth Token Exchange spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2017 06:13:03 -0000

+1

Vladimir

PS: Am I correct that the current token exchange spec can be used with
mTLS and token binding as it is, without any additional changes?


On 03/10/17 16:51, Mike Jones wrote:
> A Microsoft use case has come up in which people would like to perform a token exchange for a SAML token. The spec already defines urn:ietf:params:oauth:token-type:jwt for requesting JWT tokens.  Would anybody object to us adding urn:ietf:params:oauth:token-type:saml2 to the next draft to also give us a standard way to ask for SAML 2.0 tokens?
>
> It could always be done in its own spec, but adding it in Token Exchange seems more expedient.
>
>                                                                      -- Mike