IETF Logo Mail Archive

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Thomas Broyer <t.broyer@gmail.com> Tue, 29 July 2014 01:16 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF7961A0375 for <oauth@ietfa.amsl.com>; Mon, 28 Jul 2014 18:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBSfQ-jlmwSL for <oauth@ietfa.amsl.com>; Mon, 28 Jul 2014 18:16:49 -0700 (PDT)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 551861A031F for <oauth@ietf.org>; Mon, 28 Jul 2014 18:16:49 -0700 (PDT)
Received: by mail-lb0-f180.google.com with SMTP id v6so6309360lbi.25 for <oauth@ietf.org>; Mon, 28 Jul 2014 18:16:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=x64k4i5DKIfSlKHmOeaw3Rq8ZnAmpLcs22FC/p80890=; b=VMlM9aKtxUPtkE0fe0a492+HYXh0AaOIpuPeeyrlRDfSZw2pnR/ZPf9vS7kT9QAQrW lhuxtIcS6KG/981rpyLE0nNdTSXzYZXdKoUzvXBL25pJRoKVzPWHSrX9XUoqKWAXS7RW udvi9822c9UWOBRuyYNjHbkRRZYVBJH2XzDi5A5IgJNPD6GRdAwkTX/5i+pxa8WmSOjK imtnVkLK+OUN4twz2zzdDdM+DGmf9pux765nivOdI/D523A7z1WV/mYD/aIEV/mzE4N4 LGtGxhdx76pq7ShQqbCf/zLuOsnTetWz24RVKmuoMHtkUjXIuG/W8QlZAEPno7pcJ2lR iEbg==
X-Received: by 10.112.172.38 with SMTP id az6mr858189lbc.53.1406596607375; Mon, 28 Jul 2014 18:16:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.113.73 with HTTP; Mon, 28 Jul 2014 18:16:26 -0700 (PDT)
In-Reply-To: <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Tue, 29 Jul 2014 03:16:26 +0200
Message-ID: <CAEayHEPnmpM9MrMwMVGLi0-qeDPsMmdJRg6xwbO7WwdMADURTg@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a11c3442e1fff8004ff4acb15"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/e3XgB4s-saaZp3_tbE9cX6qyfnI
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 01:16:52 -0000

Interesting question.

In our specific case, we don't really *need* interop as we have a single
AS, so the protocol could be specific to our needs. Building on a standard
however means that it might be easier to find software libraries
implementing it that could be used to build apps for our platform.
Similarly: we use OpenID Connect but we could have defined our own protocol
that issues OAuth access tokens. The benefit of standards are peer reviews
(particularly of privacy and security concerns) and software libraries.

>From my PoV, this goes along with registration: you register an app to an
AS, and if the app exposes resources protected using OAuth then it can use
introspection to allow/deny access. Interop of introspection is as
necessary as interop of registration; it means an app can easily be
"portable": deployable in different environments provided they implement
introspection (and/or registration, and/or OpenID Connect, etc.)
Maybe it falls under the UMA scope more than the OAuth WG though
(registration is not enough, you also need to register "resource sets" with
their scopes).


On Tue, Jul 29, 2014 at 2:11 AM, Phil Hunt <phil.hunt@oracle.com> wrote:

> Could we have some discussion on the interop cases?
>
> Is it driven by scenarios where AS and resource are separate domains? Or
> may this be only of interest to specific protocols like UMA?
>
> From a technique principle, the draft is important and sound. I am just
> not there yet on the reasons for an interoperable standard.
>
> Phil
>
> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
>
> Yes. This spec is of special interest to the platform we're building for
> http://www.oasis-eu.org/
>
>
> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
>> Hi all,
>>
>> during the IETF #90 OAuth WG meeting, there was strong consensus in
>> adopting the "OAuth Token Introspection"
>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
>> work item.
>>
>> We would now like to verify the outcome of this call for adoption on the
>> OAuth WG mailing list. Here is the link to the document:
>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>
>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
>> as to the suitability of adopting this document as a WG work item,
>> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>>
>> The confirmation call for adoption will last until August 10, 2014.  If
>> you have issues/edits/comments on the document, please send these
>> comments along to the list in your response to this Call for Adoption.
>>
>> Ciao
>> Hannes & Derek
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
> --
> Thomas Broyer
> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>

v2.23.0 | Report a Bug | By Email