IETF Logo Mail Archive

Re: [OAUTH-WG] Minutes from the OAuth Design Team Conference Call - 11th February 2013

Mike Jones <Michael.Jones@microsoft.com> Thu, 14 February 2013 21:44 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EAC121F855C for <oauth@ietfa.amsl.com>; Thu, 14 Feb 2013 13:44:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Level:
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfHnVRpkzEwx for <oauth@ietfa.amsl.com>; Thu, 14 Feb 2013 13:44:41 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.26]) by ietfa.amsl.com (Postfix) with ESMTP id 7ACE721F84C7 for <oauth@ietf.org>; Thu, 14 Feb 2013 13:44:40 -0800 (PST)
Received: from BL2FFO11FD022.protection.gbl (10.173.161.202) by BL2FFO11HUB003.protection.gbl (10.173.161.21) with Microsoft SMTP Server (TLS) id 15.0.620.12; Thu, 14 Feb 2013 21:44:31 +0000
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD022.mail.protection.outlook.com (10.173.161.101) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Thu, 14 Feb 2013 21:44:31 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.232]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0318.003; Thu, 14 Feb 2013 21:44:11 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Justin Richer <jricher@mitre.org>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Minutes from the OAuth Design Team Conference Call - 11th February 2013
Thread-Index: AQHOCUdbOV5B7lAK3kmkqyu4eMgvZZh55eFg
Date: Thu, 14 Feb 2013 21:44:10 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436744BD23@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <0573984A-8C11-4960-9BC6-F44D4B664C19@gmx.net> <E808B6AC-D5F6-479F-967D-EA6B2586BE64@oracle.com> <511A7D27.8010209@mitre.org>
In-Reply-To: <511A7D27.8010209@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.71]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(24454001)(377424002)(377454001)(479174001)(13464002)(51704002)(30513003)(52604002)(79102001)(53806001)(66066001)(63696002)(80022001)(31966008)(15202345001)(47736001)(47446002)(65816001)(33656001)(55846006)(20776003)(56776001)(46406002)(5343655001)(15974865001)(51856001)(49866001)(5343635001)(74502001)(4396001)(47976001)(77982001)(47776003)(74662001)(50466001)(50986001)(56816002)(59766001)(54356001)(54316002)(46102001)(23726001)(16406001)(76482001)(44976002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB003; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0757EEBDCA
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Minutes from the OAuth Design Team Conference Call - 11th February 2013
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 21:44:44 -0000

I'm in favor of reusing the JWT work that this WG is also doing. :-)

I'm pretty skeptical of us inventing another custom scheme for signing HTTP headers.  That was the impediment to OAuth 1.0 adoption that OAuth 2.0 solved in the first place.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
Sent: Tuesday, February 12, 2013 9:35 AM
To: Phil Hunt
Cc: IETF oauth WG
Subject: Re: [OAUTH-WG] Minutes from the OAuth Design Team Conference Call - 11th February 2013

That's my reading of it as well, Phil, thanks for providing the clarification. One motivator behind using a JSON-based token is to be able to re-use some of the great work that the JOSE group is doing but apply it to an HTTP payload.

What neither of us want is a token type that requires stuffing all query, header, and other parameters *into* the JSON object itself, which would be a more SOAPy approach.

  -- Justin

On 02/12/2013 12:30 PM, Phil Hunt wrote:
> Clarification.  I think Justin and I were in agreement that we don't want to see a format that requires JSON payloads.  We are both interested in a JSON token used in the authorization header that could be based on a computed signature of some combination of http headers and body if possible.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
> On 2013-02-12, at 1:10 AM, Hannes Tschofenig wrote:
>
>> Here are my notes.
>>
>> Participants:
>>
>> * John Bradley
>> * Derek Atkins
>> * Phil Hunt
>> * Prateek Mishra
>> * Hannes Tschofenig
>> * Mike Jones
>> * Antonio Sanso
>> * Justin Richer
>>
>> Notes:
>>
>> My slides are available here: 
>> http://www.tschofenig.priv.at/OAuth2-Security-11Feb2013.ppt
>>
>> Slide #2 summarizes earlier discussions during the conference calls.
>>
>> -- HTTP vs. JSON
>>
>> Phil noted that he does not like to use the MAC Token draft as a starting point because it does not re-use any of the work done in the JOSE working group and in particular all the libraries that are available today. He mentioned that earlier attempts to write the MAC Token code lead to problems for implementers.
>>
>> Justin responded that he does not agree with using JSON as a transport mechanism since this would replicate a SOAP style.
>>
>> Phil noted that he wants to send JSON but the signature shall be computed over the HTTP header field.
>>
>> -- Flexibility for the keyed message digest computation
>>
>>  From earlier discussion it was clear that the conference call participants wanted more flexibility regarding the keyed message digest computation. For this purpose Hannes presented the DKIM based approach, which allows selective header fields to be included in the digest. This is shown in slide #4.
>>
>> After some discussion the conference call participants thought that this would meet their needs. Further investigations would still be useful to determine the degree of failed HMAC calculations due to HTTP proxies modifying the content.
>>
>> -- Key Distribution
>>
>> Hannes presented the open issue regarding the choice of key 
>> distribution. Slides #6-#8 present three techniques and Hannes asked 
>> for feedback regarding the preferred style. Justin and others didn't 
>> see the need to decide on one mechanism - they wanted to keep the 
>> choice open. Derek indicated that this will not be an acceptable 
>> approach. Since the resource server and the authorization server may, 
>> in the OAuth 2.0 framework, be entities produced by different vendors 
>> there is an interoperability need. Justin responded that he disagrees 
>> and that the resource server needs to understand the access token and 
>> referred to the recent draft submission for the token introspection 
>> endpoint. Derek indicated that the resource server has to understand 
>> the content of the access token and the token introspection endpoint 
>> just pushes the problem around: the resource server has to send the 
>> access token to the authorization server and then the resource server 
>> gets the result back (which he the
 n
>    a
>> gain needs to understand) in order to make a meaningful authorization decision.
>>
>> Everyone agreed that the client must receive the session key from the authorization server and that this approach has to be standardized. It was also agreed that this is a common approach among all three key distribution mechanisms.
>>
>> Hannes asked the participants to think about their preference.
>>
>> The questions regarding key naming and the indication for the intended resource server the client wants to talk to have been postponed.
>>
>> Ciao
>> Hannes
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.35.0 | Report a Bug | By Email | System Status