IETF Logo Mail Archive

Re: [OAUTH-WG] Multiple authorization servers for one resource server

Justin Richer <jricher@mit.edu> Sun, 13 March 2016 01:03 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BADB612D903 for <oauth@ietfa.amsl.com>; Sat, 12 Mar 2016 17:03:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oh0l8R4SNAQm for <oauth@ietfa.amsl.com>; Sat, 12 Mar 2016 17:03:22 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5277F12D8EE for <oauth@ietf.org>; Sat, 12 Mar 2016 17:03:22 -0800 (PST)
X-AuditID: 12074423-4d3ff700000061cf-6d-56e4bc594125
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 06.7D.25039.95CB4E65; Sat, 12 Mar 2016 20:03:21 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u2D13Kw6031688; Sat, 12 Mar 2016 20:03:20 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u2D13IKH032459 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 12 Mar 2016 20:03:20 -0500
To: Takahiko Kawasaki <daru.tk@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <CAGpwqP-coOvKeud4Bk=LgeF5N-wor=Uid==hZQPoiSDby0pa3A@mail.gmail.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <56E4BC4D.9000806@mit.edu>
Date: Sat, 12 Mar 2016 20:03:09 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CAGpwqP-coOvKeud4Bk=LgeF5N-wor=Uid==hZQPoiSDby0pa3A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010700080202070501010109"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixCmqrRu550mYwdSH7BZdPZuZLE6+fcXm wOSxc9Zddo8lS34yBTBFcdmkpOZklqUW6dslcGWsOnObrWCXZsU8oGQD4yKZLkZODgkBE4nX XzYwdzFycQgJtDFJNF86D+VsZJR43/SQCcK5zSTxcONkRpAWYQE/iVmX7jGB2CICPhJntj8D iwsJBEh0ne5iB7HZBFQlpq9pAavhFVCTuPz/HVCcg4MFKP7sqj5IWFQgRuL4u3OMECWCEidn PmEBsTkFAiW+/5wHFmcWCJO4Nec++wRGvllIymYhSUHYthJ35u5mhrDlJba/nQNl60os2raC HSbevHU28wJGtlWMsim5Vbq5iZk5xanJusXJiXl5qUW6Znq5mSV6qSmlmxhBAczuoryD8WWf 9yFGAQ5GJR7eHZOfhAmxJpYVV+YeYpTkYFIS5X0vAxTiS8pPqcxILM6ILyrNSS0+xCjBwawk whs4ASjHm5JYWZValA+TkuZgURLnZWRgYBASSE8sSc1OTS1ILYLJynBwKEnw/twF1ChYlJqe WpGWmVOCkGbi4AQZzgM0vBukhre4IDG3ODMdIn+KUVFKnPcdSEIAJJFRmgfXC0owCW8Pm75i FAd6RZg3bTdQFQ8wOcF1vwIazAQ0eELXI5DBJYkIKakGxjy+npR3Bs9LuVrPST79+uH/2eO7 F9Yk7tq34/2vT3OabQKuisrvKprBnBvu9j5zFt9n/uXB7s7Nx1xKL/S5/Us6cblzmnF6TMYO llk2C8OSjYIuebAo9ppt0Ti+VXtqQuGSG0b5hwuvlvPZmpxjuCFsoPlk8R/3G1Pmu1gtsvNs co2KM+6JUWIpzkg01GIuKk4EADdRH5kLAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/d5tgchPpiN6GWmEl5uAe7xyIjd4>
Subject: Re: [OAUTH-WG] Multiple authorization servers for one resource server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2016 01:03:24 -0000

What we've done in deployments is to combine JWT and introspection. You 
have all of your servers issue signed JWTs that include the "iss" 
(issuer) in the body, signed with the key of the AS. The tokens also 
include a random "jti" field. The RS submits the token to the 
introspection endpoint of the server identified in "iss", but only after 
validating the signature and other basic bits of information. If the 
introspection call comes back positive (and with the right scope, 
client, and resource owner information), the resource is served.

  -- Justin

On 3/11/2016 10:02 PM, Takahiko Kawasaki wrote:
> Hello,
>
> I have a question.
>
> If there exist multiple authorization servers that can issue access 
> tokens for one resource server, when the resource server receives an 
> access token from a client application, as the first step, the 
> resource server has to determine which authorization server to use for 
> access token introspection.
>
> Is there any standard way to determine which authorization server to use?
>
> There may be several ways, for example:
>
> (1) Embed information about the access token issuer in the access token.
> (2) Add a request parameter to identify the access token issuer.
> (3) Separate protected resource endpoints for each authorization server.
>
> If there is a standard way, I'd like to know it.
>
> Best Regards,
> Takahiko Kawasaki
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email