Re: [OAUTH-WG] Using Oauth2 token to SOAP web services
Paul Madsen <paul.madsen@gmail.com> Mon, 19 March 2012 13:29 UTC
Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41AAB21F850C for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2012 06:29:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JWaimPxI2E5E for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2012 06:29:05 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id A60B321F84F8 for <oauth@ietf.org>; Mon, 19 Mar 2012 06:29:05 -0700 (PDT)
Received: by ggmi1 with SMTP id i1so6138030ggm.31 for <oauth@ietf.org>; Mon, 19 Mar 2012 06:29:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=K8bHnumFu9hrnsmJZa4NEbRszSeWxR1OTdl5kWOJEOI=; b=GtWOPZdCgO5KIi3nw5UNUJxn8CxIb/e9NbOhuVtkQ7AfFHknHk5QC1pQFjhzkbvFTv uDGiWmUX7rwr7x3KoXzEaoJul1sP6hsABHRVa1LOkg+qxtcnfborZxGcIt/dXEGADSWd 4KPBRWU2OY81WOn16c2+GS1WrAW2D+2M7E9Drw+joDeAP7QXtL56bqF7dbSO+4CDuoSY H32BaTx/c79ci6oB2sOVs3Meb9LcRD63IM0mW5Wfke34RimYP/6ylTzGSwQwY4rsJ0De l4MaEFRc4TEcZi7ZNgkIU6o7qxGub3CyiQ8IUfCMhWTa82K5AUT3YSFu2j++PXuRJaLf clYA==
Received: by 10.50.45.229 with SMTP id q5mr5828298igm.62.1332163744676; Mon, 19 Mar 2012 06:29:04 -0700 (PDT)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. [72.136.162.33]) by mx.google.com with ESMTPS id ez5sm5578053igb.17.2012.03.19.06.29.02 (version=SSLv3 cipher=OTHER); Mon, 19 Mar 2012 06:29:03 -0700 (PDT)
Message-ID: <4F67349E.107@gmail.com>
Date: Mon, 19 Mar 2012 09:29:02 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1db661c5-2e54-470e-8104-ee8e7ae10e86@default> <A8BFFBB5-9912-468C-AB42-702DA368D59F@oracle.com> <12509c43-163e-43a6-bbf3-60d6daa1db43@default> <FB4F059C-6E02-4240-98A6-069CCA700186@gmx.net> <835C2B6E-3A48-4894-A75E-B802FB12DD1C@oracle.com>
In-Reply-To: <835C2B6E-3A48-4894-A75E-B802FB12DD1C@oracle.com>
Content-Type: multipart/alternative; boundary="------------060404010400070307040500"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using Oauth2 token to SOAP web services
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 13:29:07 -0000
mixed REST & SOAP environments dont necessarily require using OAuth tokens directly in SOAP headers - you can exchange the token for an equivalent SAML assertion (for which we already have a profile stipulating how to use in SOAP headers) We see alot of this - people leveraging existing SOAP backends but opening up REST APIs to partners & mobile On 3/19/12 9:23 AM, Phil Hunt wrote: > There's going to be a lot of mixed environments for some time. Particularly an issue at the boundaries between classic soap services and new restful services. > > Phil > > On 2012-03-19, at 0:05, Hannes Tschofenig<hannes.tschofenig@gmx.net> wrote: > >> Hi Grant, >> >> IMHO the main reason why the OAuth specification does not standardize OAuth usage specially for SOAP is because most people by now realized that SOAP, as another layer of encapsulation, does not add a lot of value. >> >> Ciao >> Hannes >> >> On Mar 19, 2012, at 6:15 AM, Grant Yang wrote: >> >>> Thank you very much Phil! >>> >>> The thing is, the Oauth spec just mentioned putting the Access Token into HTTP header “Authorization”. I don’t think it applies to SOAP as this header is not visible from SOAP stack perspective. >>> >>> So, when we talking about the soap header, are we talking about the header used by WS-Security? Could you please be kindly providing me one example on putting the Access Token into SOAP header and let me know which product is currently using this mechanism? >>> >>> Thanks a lot, >>> Grant. >>> >>> From: Phil Hunt >>> Sent: Thursday, March 15, 2012 11:53 PM >>> To: Grant Yang >>> Subject: Re: [OAUTH-WG] Using Oauth2 token to SOAP web services >>> >>> Grant, >>> >>> You put it in the soap header of course in the same spot as any other credential. :-) >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> On 2012-03-14, at 10:41 PM, Grant Yang wrote: >>> >>> >>> Hi all, >>> >>> We were discussing the possibility to use Oauth2 token on SOAP in our product. >>> >>> The preferred way in mentioned in RFC is of course to put it to HTTP Authorization header, but in this case it will beyond the scope of SOAP stack and I am not sure it shall be the correct way to go. It is also recognized that there is some implementation (such as salesforce) is using some SOAP header (“sessionId”) to put this token, but it looks like a private implementation and I did not find any specification supporting it. >>> >>> Could any experts here illustrate any organization or forum is working on using Oauth2 token for SOAP request? As there are quite some legacy SOAP based web services, hopefully it is a question makes sense for you as well. >>> >>> Thoughts? >>> >>> Grant Yang >>> Architect, SDP of ORACLE Communications >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Using Oauth2 token to SOAP web services Grant Yang
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Grant Yang
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Hannes Tschofenig
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Phil Hunt
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Paul Madsen
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Igor Faynberg
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Guang Yang
- Re: [OAUTH-WG] Using Oauth2 token to SOAP web ser… Torsten Lodderstedt