Re: [OAUTH-WG] Rechartering

Anthony Nadalin <tonynad@microsoft.com> Mon, 31 October 2011 21:56 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB4721F8CD2 for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 14:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.467
X-Spam-Level:
X-Spam-Status: No, score=-7.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4xoPdU2Rqlg for <oauth@ietfa.amsl.com>; Mon, 31 Oct 2011 14:56:19 -0700 (PDT)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 830B511E82F5 for <oauth@ietf.org>; Mon, 31 Oct 2011 14:56:19 -0700 (PDT)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Mon, 31 Oct 2011 14:56:19 -0700
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.113) by mail.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.339.2; Mon, 31 Oct 2011 14:56:18 -0700
Received: from mail150-ch1-R.bigfish.com (10.43.68.240) by CH1EHSOBE018.bigfish.com (10.43.70.68) with Microsoft SMTP Server id 14.1.225.22; Mon, 31 Oct 2011 21:56:05 +0000
Received: from mail150-ch1 (localhost.localdomain [127.0.0.1]) by mail150-ch1-R.bigfish.com (Postfix) with ESMTP id B787616400BA for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 31 Oct 2011 21:56:11 +0000 (UTC)
X-SpamScore: -41
X-BigFish: PS-41(zz9371K542M1432N98dK14ffOzz1202h1082kzz8275ch1033IL8275dhz31h2a8h668h839h944h)
X-Forefront-Antispam-Report: CIP:207.46.4.139; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0302HT013.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail150-ch1: transitioning domain of microsoft.com does not designate 207.46.4.139 as permitted sender) client-ip=207.46.4.139; envelope-from=tonynad@microsoft.com; helo=SN2PRD0302HT013.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail150-ch1 (localhost.localdomain [127.0.0.1]) by mail150-ch1 (MessageSwitch) id 1320098169354579_20216; Mon, 31 Oct 2011 21:56:09 +0000 (UTC)
Received: from CH1EHSMHS032.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.250]) by mail150-ch1.bigfish.com (Postfix) with ESMTP id 50E8995004B; Mon, 31 Oct 2011 21:56:09 +0000 (UTC)
Received: from SN2PRD0302HT013.namprd03.prod.outlook.com (207.46.4.139) by CH1EHSMHS032.bigfish.com (10.43.70.32) with Microsoft SMTP Server (TLS) id 14.1.225.22; Mon, 31 Oct 2011 21:56:02 +0000
Received: from SN2PRD0302MB137.namprd03.prod.outlook.com ([169.254.4.210]) by SN2PRD0302HT013.namprd03.prod.outlook.com ([10.27.90.203]) with mapi id 14.15.0003.000; Mon, 31 Oct 2011 21:56:14 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [OAUTH-WG] Rechartering
Thread-Index: AQHMjub7tsSnzwxIKk2nsnZNOeFJupWF2TyAgAfWEICAASfzAIAEHd2AgAQSDwCAAAp3sA==
Date: Mon, 31 Oct 2011 21:56:06 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E739EC2CD8@SN2PRD0302MB137.namprd03.prod.outlook.com>
References: <725EAF50-3A82-4AAE-8C60-6D4C4AE52A79@gmx.net> <20111021005637.Horde.X6nKL0lCcOxOoKclCL3mgBA@webmail.df.eu> <429493818451304B84EC9A0797B5D8582383F7@SEAPXCH10MBX01.amer.gettywan.com> <90C41DD21FB7C64BB94121FBBC2E723452631E987B@P3PW5EX1MB01.EX1.SECURESERVER.NET>, <44A277AD-1874-4160-9ECD-87DEFB2A7F60@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72345263321013@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345263321013@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.0.70]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0302HT013.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%HUENIVERSE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GETTYIMAGES.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14HUBC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC102.redmond.corp.microsoft.com
Cc: OAuth WG <oauth@ietf.org>, Dan Taflin <dan.taflin@gettyimages.com>
Subject: Re: [OAUTH-WG] Rechartering
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2011 21:56:20 -0000

Could be 2 tokens that still fulfill the same scope just that each token is a subset of the requested scope.

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Monday, October 31, 2011 2:17 PM
To: Dick Hardt
Cc: OAuth WG; Dan Taflin
Subject: Re: [OAUTH-WG] Rechartering

That's a whole different issue as this is about talking to a single server retuning two tokens with different scopes.

EHL

________________________________________
From: Dick Hardt [dick.hardt@gmail.com]
Sent: Saturday, October 29, 2011 12:07 AM
To: Eran Hammer-Lahav
Cc: Dan Taflin; OAuth WG
Subject: Re: [OAUTH-WG] Rechartering

What if the access tokens come from different authoritative servers?

On Oct 26, 2011, at 9:15 AM, Eran Hammer-Lahav wrote:

> Why not just ask for one access token with all the scopes you need, then refresh it by asking for the different subsets you want.
>
> EHL
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On 
>> Behalf Of Dan Taflin
>> Sent: Tuesday, October 25, 2011 3:37 PM
>> To: OAuth WG
>> Subject: Re: [OAUTH-WG] Rechartering
>>
>> I would like to second Torsten's pitch for the ability to return 
>> multiple access tokens with a single authorization process. The use 
>> case for my company is to segment operations into two main 
>> categories: protected and confidential. (A possible third category, public, would not require any authorization at all).
>> Protected operations would be user-specific operations that don't 
>> involve the passing of any sensitive information, such as image 
>> search results tagged with information about whether each image is 
>> available for download by that user. Confidential operations would 
>> involve passing user data, like user registration or e-commerce. We 
>> would like to protect each category of operations with distinct 
>> tokens: a general-use token for protected operations, and a secure token for confidential operations.
>>
>> We could use the scope parameter to specify either "protected" or 
>> "confidential". Currently the oauth spec allows a Refresh token to 
>> request a new token with reduced scope from the one originally 
>> issued, but there is no way to obtain a new token with a completely 
>> different scope without doing the full oauth dance a second time.
>>
>> Dan
>>
>> -----Original Message-----
>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>> Sent: Thursday, October 20, 2011 3:57 PM
>> To: Hannes Tschofenig
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Rechartering
>>
>> Hi all,
>>
>> my prioritization is driven by the goal to make OAuth the 
>> authorization framework of choice for any internet standard protocol, 
>> such as WebDAV, IMAP, SMTP or SIP. So let me first explain what is 
>> missing from my point of view and explain some thoughts how to fill the gaps.
>>
>> A standard protocol is defined in terms of resource types and 
>> messages by a body (e.g. IETF, OIDF, OMA), (hopefully) implemented in 
>> many places, and used by different but deployment-independent clients.
>> OAuth-based protocol specifications must also define scope values (e.g.
>> read, write, send) and their relation to the resource types and 
>> messages. The different deployments expose the standard protocol on 
>> different resource server endpoints. In my opinion, it is fundamental 
>> to clearly distinguish scope values (standardized, static) and 
>> resource server addresses (deployment specific) and to manage their 
>> relationships. The current scope definition is much to weak and insufficient.
>> Probably, the UMA concepts of hosts, resources sets, and 
>> corresponding scopes could be adopted for that purpose.
>>
>> OAuth today requires clients to register with the service provider 
>> before they are deployed. Would you really expect IMAP clients, e.g.
>> Thunderbird, to register with any a-Mail services upfront? So clients 
>> should be given a way to register dynamically to the authorization 
>> servers. This should also allow us to cover "client instance" aspects.
>> It is interesting to note, that such a mechanism would allow us to 
>> get rid of secret-less clients and the one-time usage requirement for 
>> authorization codes.
>>
>> We also assume the client to know the URLs of the resource server and 
>> the corresponding authorization server and to use HTTPS server 
>> authentication to verify the resource server's authenticity. This is 
>> impossible in the standard scenario. Clients must be able to discover 
>> the authorization server a particular resource server relies on at 
>> runtime. The discovery mechanism could be specified by the OAuth WG, 
>> but could also be part of an application protocols specification. But 
>> we MUST find another way to prevent token phishing by counterfeit resource servers.
>>
>> As one approach, the client could pass the (previously HTTPS
>> validated) resource server's URL with the authorization request. The 
>> authorization server should then refuse such requests for any unknown
>> (counterfeit) resource servers. Such an additional parameter could 
>> also serve as namespace for scope values and enable service providers 
>> to run multiple instances of the same service within a single deployment.
>>
>> If the additional data enlarges the request payload to much, we could 
>> consider to adopt the "request by reference" proposal.
>>
>> Let's now assume, OAuth is successful in the world of standard 
>> protocols and we will see plenty of deployments with a bunch of 
>> different OAuth protected resource servers. Shall this servers all be 
>> accessible with a single token? In my opinion, this would cause 
>> security, privacy and/or scalability/performance problems. To give 
>> just the most obvious example, the target audience of such a token 
>> cannot be restricted enough, which may allow a resource server (or an 
>> attacker in control of it) to abuse the token on other servers. But 
>> the current design of the code grant type forces deployments to use 
>> the same token for all services. What is needed from my point of view 
>> is a way to request and issue multiple server-specific access tokens with a single authorization process.
>>
>> I've been advocating this topic for a long time now and I'm still 
>> convinced this is required to really complete the core design. We at 
>> Deutsche Telekom needed and implemented this function on top of the 
>> existing core. In my opinion, a core enhancement would be easier to handle and more powerful.
>> If others support this topic, I would be willed to submit an I-D 
>> describing a possible solution.
>>
>> If we take standards really seriously, then service providers should 
>> be given the opportunity to implement their service by utilizing 
>> standard server implementations. This creates the challenge to find a 
>> standardized protocol between authorization server and resource 
>> server to exchange authorization data. Depending on the token design 
>> (self-contained vs. handle) this could be solved by either 
>> standardizing a token format (JWT) or an authorization API.
>>
>> Based on the rationale given above, my list is as follows (topics w/o 
>> I-D are marked with *):
>>
>> - Revocation (low hanging fruit since I-D is ready and implemented in 
>> some
>> places)
>> - Resource server notion*
>> - Multiple access tokens*
>> - Dynamic client registration
>>  1) Dynamic Client Registration Protocol
>>  4) Client Instance Extension
>> - Discovery
>>  (10) Simple Web Discovery, probably other specs as well
>> - (6) JSON Web Token
>> - (7) JSON Web Token (JWT) Bearer Profile
>> - 8) User Experience Extension
>> - Device flow
>> - 9) Request by Reference
>>  (depending resource server notion and multiple access tokens)
>>
>> regards,
>> Torsten.
>> Zitat von Hannes Tschofenig <hannes.tschofenig@gmx.net>et>:
>>
>>> Hi all,
>>>
>>> in preparation of the upcoming IETF meeting Barry and I would like 
>>> to start a re-chartering discussion.  We both are currently 
>>> attending the Internet Identity Workshop and so we had the chance to 
>>> solicit input from the participants. This should serve as a discussion starter.
>>>
>>> Potential future OAuth charter items (in random order):
>>>
>>> ----------------
>>>
>>> 1) Dynamic Client Registration Protocol
>>>
>>> Available document:
>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-dynreg/
>>>
>>> 2) Token Revocation
>>>
>>> Available document:
>>> http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-revocation/
>>>
>>> 3) UMA
>>>
>>> Available document:
>>> http://datatracker.ietf.org/doc/draft-hardjono-oauth-umacore/
>>>
>>> 4) Client Instance Extension
>>>
>>> Available document:
>>> http://tools.ietf.org/id/draft-richer-oauth-instance-00.txt
>>>
>>> 5) XML Encoding
>>>
>>> Available document:
>>> http://tools.ietf.org/id/draft-richer-oauth-xml-00.txt
>>>
>>> 6) JSON Web Token
>>>
>>> Available document:
>>> http://tools.ietf.org/html/draft-jones-json-web-token-05
>>>
>>> 7) JSON Web Token (JWT) Bearer Profile
>>>
>>> Available document:
>>> http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-00
>>>
>>> 8) User Experience Extension
>>>
>>> Available document:
>>> http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00
>>>
>>> 9) Request by Reference
>>>
>>> Available document:
>>> http://tools.ietf.org/html/draft-sakimura-oauth-requrl-00
>>>
>>> 10) Simple Web Discovery
>>>
>>> Available document:
>>> http://tools.ietf.org/html/draft-jones-simple-web-discovery-00
>>>
>>> ----------------
>>>
>>> We have the following questions:
>>>
>>> a) Are you interested in any of the above-listed items? (as a 
>>> reviewer, co-author, implementer, or someone who would like to 
>>> deploy). It is also useful to know if you think that we shouldn't 
>>> work on a specific item.
>>>
>>> b) Are there other items you would like to see the group working on?
>>>
>>> Note: In case your document is expired please re-submit it.
>>>
>>> Ciao
>>> Hannes & Barry
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth