Re: [OAUTH-WG] Multiple authorization servers for one resource server
Justin Richer <jricher@mit.edu> Sun, 13 March 2016 01:03 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BADB612D903 for <oauth@ietfa.amsl.com>; Sat, 12 Mar 2016 17:03:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oh0l8R4SNAQm for <oauth@ietfa.amsl.com>; Sat, 12 Mar 2016 17:03:22 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5277F12D8EE for <oauth@ietf.org>; Sat, 12 Mar 2016 17:03:22 -0800 (PST)
X-AuditID: 12074423-4d3ff700000061cf-6d-56e4bc594125
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 06.7D.25039.95CB4E65; Sat, 12 Mar 2016 20:03:21 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u2D13Kw6031688; Sat, 12 Mar 2016 20:03:20 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u2D13IKH032459 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 12 Mar 2016 20:03:20 -0500
To: Takahiko Kawasaki <daru.tk@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <CAGpwqP-coOvKeud4Bk=LgeF5N-wor=Uid==hZQPoiSDby0pa3A@mail.gmail.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <56E4BC4D.9000806@mit.edu>
Date: Sat, 12 Mar 2016 20:03:09 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CAGpwqP-coOvKeud4Bk=LgeF5N-wor=Uid==hZQPoiSDby0pa3A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010700080202070501010109"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixCmqrRu550mYwdSH7BZdPZuZLE6+fcXm wOSxc9Zddo8lS34yBTBFcdmkpOZklqUW6dslcGWsOnObrWCXZsU8oGQD4yKZLkZODgkBE4nX XzYwdzFycQgJtDFJNF86D+VsZJR43/SQCcK5zSTxcONkRpAWYQE/iVmX7jGB2CICPhJntj8D iwsJBEh0ne5iB7HZBFQlpq9pAavhFVCTuPz/HVCcg4MFKP7sqj5IWFQgRuL4u3OMECWCEidn PmEBsTkFAiW+/5wHFmcWCJO4Nec++wRGvllIymYhSUHYthJ35u5mhrDlJba/nQNl60os2raC HSbevHU28wJGtlWMsim5Vbq5iZk5xanJusXJiXl5qUW6Znq5mSV6qSmlmxhBAczuoryD8WWf 9yFGAQ5GJR7eHZOfhAmxJpYVV+YeYpTkYFIS5X0vAxTiS8pPqcxILM6ILyrNSS0+xCjBwawk whs4ASjHm5JYWZValA+TkuZgURLnZWRgYBASSE8sSc1OTS1ILYLJynBwKEnw/twF1ChYlJqe WpGWmVOCkGbi4AQZzgM0vBukhre4IDG3ODMdIn+KUVFKnPcdSEIAJJFRmgfXC0owCW8Pm75i FAd6RZg3bTdQFQ8wOcF1vwIazAQ0eELXI5DBJYkIKakGxjy+npR3Bs9LuVrPST79+uH/2eO7 F9Yk7tq34/2vT3OabQKuisrvKprBnBvu9j5zFt9n/uXB7s7Nx1xKL/S5/Us6cblzmnF6TMYO llk2C8OSjYIuebAo9ppt0Ti+VXtqQuGSG0b5hwuvlvPZmpxjuCFsoPlk8R/3G1Pmu1gtsvNs co2KM+6JUWIpzkg01GIuKk4EADdRH5kLAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/d5tgchPpiN6GWmEl5uAe7xyIjd4>
Subject: Re: [OAUTH-WG] Multiple authorization servers for one resource server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2016 01:03:24 -0000
What we've done in deployments is to combine JWT and introspection. You have all of your servers issue signed JWTs that include the "iss" (issuer) in the body, signed with the key of the AS. The tokens also include a random "jti" field. The RS submits the token to the introspection endpoint of the server identified in "iss", but only after validating the signature and other basic bits of information. If the introspection call comes back positive (and with the right scope, client, and resource owner information), the resource is served. -- Justin On 3/11/2016 10:02 PM, Takahiko Kawasaki wrote: > Hello, > > I have a question. > > If there exist multiple authorization servers that can issue access > tokens for one resource server, when the resource server receives an > access token from a client application, as the first step, the > resource server has to determine which authorization server to use for > access token introspection. > > Is there any standard way to determine which authorization server to use? > > There may be several ways, for example: > > (1) Embed information about the access token issuer in the access token. > (2) Add a request parameter to identify the access token issuer. > (3) Separate protected resource endpoints for each authorization server. > > If there is a standard way, I'd like to know it. > > Best Regards, > Takahiko Kawasaki > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Multiple authorization servers for one… Takahiko Kawasaki
- Re: [OAUTH-WG] Multiple authorization servers for… Jim Willeke
- Re: [OAUTH-WG] Multiple authorization servers for… Mike Schwartz
- Re: [OAUTH-WG] Multiple authorization servers for… Phil Hunt (IDM)
- Re: [OAUTH-WG] Multiple authorization servers for… Jim Willeke
- Re: [OAUTH-WG] Multiple authorization servers for… Phil Hunt (IDM)
- Re: [OAUTH-WG] Multiple authorization servers for… Justin Richer
- Re: [OAUTH-WG] Multiple authorization servers for… Justin Richer
- Re: [OAUTH-WG] Multiple authorization servers for… Nat Sakimura
- Re: [OAUTH-WG] Multiple authorization servers for… Mike Schwartz
- Re: [OAUTH-WG] Multiple authorization servers for… John Bradley
- Re: [OAUTH-WG] Multiple authorization servers for… Thomas Broyer
- Re: [OAUTH-WG] Multiple authorization servers for… Andrea Ceccanti
- Re: [OAUTH-WG] Multiple authorization servers for… George Fletcher
- Re: [OAUTH-WG] Multiple authorization servers for… Mike Schwartz
- Re: [OAUTH-WG] Multiple authorization servers for… John Bradley
- Re: [OAUTH-WG] Multiple authorization servers for… Justin Richer