Re: [OAUTH-WG] Oauth Server to Server
Todd W Lainhart <lainhart@us.ibm.com> Thu, 26 September 2013 14:55 UTC
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB45B11E8101 for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2013 07:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.143
X-Spam-Level:
X-Spam-Status: No, score=-8.143 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUSIR2QnCQRH for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2013 07:55:30 -0700 (PDT)
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by ietfa.amsl.com (Postfix) with ESMTP id 2677721E8094 for <oauth@ietf.org>; Thu, 26 Sep 2013 07:55:02 -0700 (PDT)
Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Thu, 26 Sep 2013 10:54:54 -0400
Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 26 Sep 2013 10:54:51 -0400
Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 49AF2C90046; Thu, 26 Sep 2013 10:54:50 -0400 (EDT)
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp22034.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r8QEso2C38207610; Thu, 26 Sep 2013 14:54:50 GMT
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r8QEsngG001961; Thu, 26 Sep 2013 10:54:50 -0400
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r8QEsmtH001806; Thu, 26 Sep 2013 10:54:48 -0400
In-Reply-To: <52443944.6040308@mitre.org>
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <52443944.6040308@mitre.org>
To: Justin Richer <jricher@mitre.org>
MIME-Version: 1.0
X-KeepSent: CC5897C9:41C026FF-85257BF2:0051A3B1; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP4 SHF39 May 13, 2013
Message-ID: <OFCC5897C9.41C026FF-ON85257BF2.0051A3B1-85257BF2.0051EB48@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Thu, 26 Sep 2013 10:54:46 -0400
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF5|February, 2013) at 09/26/2013 10:54:47, Serialize complete at 09/26/2013 10:54:47
Content-Type: multipart/alternative; boundary="=_alternative 0051EB4785257BF2_="
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13092614-0320-0000-0000-0000012309CA
Cc: "oauth@ietf.org WG" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 14:55:40 -0000
> From what I read, it sounds like you want either the assertion flow (which is defined in extensions) or the client credentials flow (not the resource owner password flow). I thought the same re "client credentials flow", but on a quick reading of Google's spec, their impl also allows for impersonation, assuming that the client has been registered to allow such (unclear if the original poster also wanted this functionality). We have a similar feature in our impl - client creds flow w/ impersonation (with supporting registration). Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainhart@us.ibm.com From: Justin Richer <jricher@mitre.org> To: Antonio Sanso <asanso@adobe.com>, Cc: "oauth@ietf.org WG" <oauth@ietf.org> Date: 09/26/2013 09:41 AM Subject: Re: [OAUTH-WG] Oauth Server to Server Sent by: oauth-bounces@ietf.org From what I read, it sounds like you want either the assertion flow (which is defined in extensions) or the client credentials flow (not the resource owner password flow). In either of these, the client authenticates on its own behalf and gets a token directly with no user involved, and both are fully specified. -- Justin On 09/24/2013 08:08 AM, Antonio Sanso wrote: > Hi *, > > apologis to be back to this argument :). > > Let me try to better explain one use case that IMHO would be really good to have in the OAuth specification family :) > > At the moment the only "OAuth standard" way I know to do OAuth server to server is to use [0] namely Resource Owner Password Credentials Grant. > > Let me tell I am not a big fun of this particular flow :) (but this is another story). > > An arguable better way to solve this scenario is to user (and why not to standardise :S?) the method used by Google (or a variant of it) see [1]. > > Couple of more things: > > - I do not know if Google would be interested to put some effort to standardise it (is anybody from Google lurking :) e.g.Tim Bray :D ) > - I am not too familiar with IETF process. Would the OAuth WG take in consideration such proposal draft?? > > Thanks and regards > > Antonio > > [0] http://tools.ietf.org/html/rfc6749#section-4.3 > [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Brian Campbell
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Bill Mills
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Phil Hunt
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Justin Richer
- Re: [OAUTH-WG] Oauth Server to Server Todd W Lainhart
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso