Re: [OAUTH-WG] Oauth Server to Server

Todd W Lainhart <lainhart@us.ibm.com> Thu, 26 September 2013 14:55 UTC

Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB45B11E8101 for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2013 07:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.143
X-Spam-Level:
X-Spam-Status: No, score=-8.143 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUSIR2QnCQRH for <oauth@ietfa.amsl.com>; Thu, 26 Sep 2013 07:55:30 -0700 (PDT)
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by ietfa.amsl.com (Postfix) with ESMTP id 2677721E8094 for <oauth@ietf.org>; Thu, 26 Sep 2013 07:55:02 -0700 (PDT)
Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Thu, 26 Sep 2013 10:54:54 -0400
Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 26 Sep 2013 10:54:51 -0400
Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id 49AF2C90046; Thu, 26 Sep 2013 10:54:50 -0400 (EDT)
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp22034.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r8QEso2C38207610; Thu, 26 Sep 2013 14:54:50 GMT
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r8QEsngG001961; Thu, 26 Sep 2013 10:54:50 -0400
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r8QEsmtH001806; Thu, 26 Sep 2013 10:54:48 -0400
In-Reply-To: <52443944.6040308@mitre.org>
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <52443944.6040308@mitre.org>
To: Justin Richer <jricher@mitre.org>
MIME-Version: 1.0
X-KeepSent: CC5897C9:41C026FF-85257BF2:0051A3B1; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP4 SHF39 May 13, 2013
Message-ID: <OFCC5897C9.41C026FF-ON85257BF2.0051A3B1-85257BF2.0051EB48@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Thu, 26 Sep 2013 10:54:46 -0400
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF5|February, 2013) at 09/26/2013 10:54:47, Serialize complete at 09/26/2013 10:54:47
Content-Type: multipart/alternative; boundary="=_alternative 0051EB4785257BF2_="
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13092614-0320-0000-0000-0000012309CA
Cc: "oauth@ietf.org WG" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 14:55:40 -0000

>  From what I read, it sounds like you want either the assertion flow 
(which is defined in extensions) or the client credentials flow (not the 
resource owner password flow).

I thought the same re "client credentials flow", but on a quick reading of 
Google's spec, their impl also allows for impersonation, assuming that the 
client has been registered to allow such (unclear if the original poster 
also wanted this functionality).  We have a similar feature in our impl - 
client creds flow w/ impersonation (with supporting registration).





Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart@us.ibm.com




From:   Justin Richer <jricher@mitre.org>
To:     Antonio Sanso <asanso@adobe.com>, 
Cc:     "oauth@ietf.org WG" <oauth@ietf.org>
Date:   09/26/2013 09:41 AM
Subject:        Re: [OAUTH-WG] Oauth Server to Server
Sent by:        oauth-bounces@ietf.org



 From what I read, it sounds like you want either the assertion flow 
(which is defined in extensions) or the client credentials flow (not the 
resource owner password flow). In either of these, the client 
authenticates on its own behalf and gets a token directly with no user 
involved, and both are fully specified.

  -- Justin

On 09/24/2013 08:08 AM, Antonio Sanso wrote:
> Hi *,
>
> apologis to be back to this argument :).
>
> Let me try to better explain one use case that IMHO would be really good 
to have in the OAuth specification family :)
>
> At the moment the only "OAuth standard" way I know to do OAuth server to 
server is to use [0] namely Resource Owner Password Credentials Grant.
>
> Let me tell I am not a big fun of this particular flow :) (but this is 
another story).
>
> An arguable better way to solve this scenario is to user (and why not to 
standardise :S?) the method used by Google (or a variant of it) see [1].
>
> Couple of more things:
>
> - I do not know if Google would be interested to put some effort to 
standardise it (is anybody from Google lurking :) e.g.Tim Bray :D )
> - I am not too familiar with IETF process. Would the OAuth WG take in 
consideration such proposal draft??
>
> Thanks and regards
>
> Antonio
>
> [0] http://tools.ietf.org/html/rfc6749#section-4.3
> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth