Re: [OAUTH-WG] status of bearer token redelegation drafts
Phil Hunt <phil.hunt@oracle.com> Tue, 04 November 2014 00:30 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78CE1A1B06 for <oauth@ietfa.amsl.com>; Mon, 3 Nov 2014 16:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.193
X-Spam-Level:
X-Spam-Status: No, score=-4.193 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFnZNr_1MfRR for <oauth@ietfa.amsl.com>; Mon, 3 Nov 2014 16:30:40 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90BD31A1B04 for <oauth@ietf.org>; Mon, 3 Nov 2014 16:30:40 -0800 (PST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id sA40UcD0028298 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Nov 2014 00:30:38 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sA40UbVu017699 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 4 Nov 2014 00:30:37 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id sA40UbZN017690; Tue, 4 Nov 2014 00:30:37 GMT
Received: from [192.168.1.9] (/24.87.24.131) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Nov 2014 16:30:36 -0800
References: <0FBFB9F2-508B-495B-9075-E664351C8D96@mitre.org> <518329024.436807.1415059638902.JavaMail.yahoo@jws10645.mail.bf1.yahoo.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <518329024.436807.1415059638902.JavaMail.yahoo@jws10645.mail.bf1.yahoo.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-2EFAE7D9-9CDC-4719-9895-8F67261EB565"
Content-Transfer-Encoding: 7bit
Message-Id: <1080442E-5EC4-4120-AC55-3EC76680EC0F@oracle.com>
X-Mailer: iPhone Mail (12B411)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 03 Nov 2014 16:30:33 -0800
To: Bill Mills <wmills_92105@yahoo.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/e5GJOn4pHKOgExhBFAjYvCM3IBI
Cc: Ajanta Adhikari <ajanta.adhikari@gmail.com>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] status of bearer token redelegation drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 00:30:42 -0000
+1 Phil > On Nov 3, 2014, at 16:07, Bill Mills <wmills_92105@yahoo.com> wrote: > > We need to think about this, and whatever we build in this space should work for POP tokens as well. I'd love to hear the concrete use cases and problems to be solved. > > > > POP tokens (like OAuth 1.0a) are likely not to be proxyable, so the edge servers really should have a way to get a new credential for accessing other services on behalf of the user. > > > > Another major consideration is that auth servers are frequently not scaled to handle the full edge transaction load, that's part of the point of issuing a longer lived credential by a server that's already done all the expensive policy and DB checks. > > > > I'm not a big fan of a token exchange through the auth server for that reason, as well as the added cost incurred for the network round trips that's being built in. > > > > -bill > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] status of bearer token redelegation dr… Bas Zoetekouw
- Re: [OAUTH-WG] status of bearer token redelegatio… Phil Hunt
- Re: [OAUTH-WG] status of bearer token redelegatio… Richer, Justin P.
- Re: [OAUTH-WG] status of bearer token redelegatio… Bill Mills
- Re: [OAUTH-WG] status of bearer token redelegatio… Phil Hunt
- [OAUTH-WG] Code and token response thumbprints ? Sergey Beryozkin
- [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Bill Mills
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes John Bradley
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes John Bradley
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin