IETF Logo Mail Archive

Re: [OAUTH-WG] Assertion flow and token bootstrapping

Paul Madsen <paul.madsen@gmail.com> Thu, 03 June 2010 15:31 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1364E3A68BF for <oauth@core3.amsl.com>; Thu, 3 Jun 2010 08:31:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-shw5ORlSy7 for <oauth@core3.amsl.com>; Thu, 3 Jun 2010 08:30:40 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 4C8B83A69D6 for <oauth@ietf.org>; Thu, 3 Jun 2010 08:30:37 -0700 (PDT)
Received: by vws11 with SMTP id 11so271031vws.31 for <oauth@ietf.org>; Thu, 03 Jun 2010 08:30:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=DQTGhM3mebB5BdWDqoGSA36MWsTOxPDrgW1y6EHlqLw=; b=cAA1EWPB/Jfgie9QTiHticDc5v4qeABAlWQ6d9rZQMnjwqN+GPVILSqBGAcnP8AQwU 85yjQny8fjmlB2enjLHbl/Tr+RdbZNSEcdwjXPoMGNyqWBbKYn90InIjpWzndul3Q0D2 M53Gnvr/Csv3NpR9J+cu2StZHz6boI6JG8ijA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=mdLbGF6iCEx2MyYtb+xL23P88k6bDm9pdbfbIa0XGHS+DgmV5fItZHDzWQkFfJODTQ BaDsz+erJB+mPojfkqrIxnPFrZzLzMULnD/XQSGSoRoCjLj5rruJsBqSt6ozflRg6ww/ E2Er6oH8uY0g558qgKV3rsFR4XMVDs+YhAHqw=
Received: by 10.224.18.163 with SMTP id w35mr4782048qaa.70.1275579021174; Thu, 03 Jun 2010 08:30:21 -0700 (PDT)
Received: from [192.168.0.168] (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com [99.224.152.177]) by mx.google.com with ESMTPS id i10sm115282qcb.11.2010.06.03.08.30.19 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 03 Jun 2010 08:30:20 -0700 (PDT)
Message-ID: <4C07CA89.1020803@gmail.com>
Date: Thu, 03 Jun 2010 11:30:17 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: oauth@ietf.org
References: <AANLkTilYX46pz5qI67nrgYxB_Lf1tx8DZM9YYs-QuT9T@mail.gmail.com> <DADD7EAD88AB484D8CCC328D40214CCD0179258AC0@EXPO10.exchange.mit.edu> <AANLkTimc8tUKxMmm6yCk2Nd_sRQpd8nJbBUgOhUi9EIh@mail.gmail.com> <AANLkTilkKlU71vA5Gm5kwmbgsTsDmtw8xQfq_HrtgyrV@mail.gmail.com> <DADD7EAD88AB484D8CCC328D40214CCD0179258BA5@EXPO10.exchange.mit.edu>
In-Reply-To: <DADD7EAD88AB484D8CCC328D40214CCD0179258BA5@EXPO10.exchange.mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Assertion flow and token bootstrapping
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jun 2010 15:31:03 -0000

I think STS was used in the generic sense, ie token in, token out

Although a SOAP-binding for the flow would be wonderfully perverse

paul

On 03/06/2010 10:54 AM, Thomas Hardjono wrote:
> Dick, Brian,
>
> Thanks for the clarification.
>
> - Is the Assertion Flow designed only for the STS,
> or can it be used with other "identity providers" (non-WSS).
>
> - Also, is it the expectation that a "profile" of OAuth2.0
> be created to address certain use-cases.
>
> PS. Compared to the details of RFC4120 and even
> to the old ISAKMP in the IETF, the current
> OAuth2.0 draft-05 spec appear to be a high-level framework
> that needs to be instantiated/profiled.
>
> /thomas/
>
>
>
> __________________________________________
>
> -From: Dick Hardt [mailto:dick.hardt@gmail.com]
> -Sent: Thursday, June 03, 2010 1:51 AM
> To: Brian Campbell
> Cc: Thomas Hardjono; oauth
> Subject: Re: [OAUTH-WG] Assertion flow and token bootstrapping
>
> The Assertion Flow is for the AS to act as an STS where one token is exchanged for another. This allows the PR to not have to worry about different kinds of tokens and to only deal with tokens issued by an AS.
>
> Lisa: a real world example of your use case would make it easier for how you got to the requirements you stated (ie. I am confused :)
>
> -- Dick
> On Wed, Jun 2, 2010 at 8:09 PM, Brian Campbell<bcampbell@pingidentity.com>  wrote:
> I'm still a newbie here so someone please correct me if I'm wrong, but
> I believe the Assertion Flow was intentionally left generic to serve
> as an extension point for profiling more specific types of
> assertions/tokens being exchanged for OAuth Access Tokens (or allowing
> for proprietary usage).   The use of SAML 2 tokens is suggested in
> draft-ietf-oauth-v2-05 but one could imagine SAML 1.1, Kerberos (along
> the lines of what Thomas outlines though I don't know enough about
> Kerb to really comment), X.509, or whatever. Perhaps part of Lisa's
> use case could be addressed by profiling a flow that defines an Access
> Token being exchanged for a different Access Token?  And the initial
> bootstrapping could maybe be accomplished via the Client Credentials
> Flow?
>
> On Wed, Jun 2, 2010 at 12:56 PM, Thomas Hardjono<hardjono@mit.edu>  wrote:
>    
>>
>> Lisa,
>>
>>
>>
>> I'm also looking at the assertion flow right now
>>
>> and wondering if I could use it to  "swap" a
>>
>> Kerberos service-ticket for an OAuth Access-Token.
>>
>>
>>
>> In particular, I would like to:
>>
>>
>>
>> (1) Wrap the KRB AP_REQ message within a SAML-assertion
>>
>> (eg. using the existing WSS Token Profile standard),
>>
>>
>>
>> (2) Deliver it using the OAuth assertion flow to a special
>>
>> Kerberized-service (or IdP or OP), who then verifies
>>
>> the Authenticator and Service-Ticket within
>>
>> the AP_REQ message.
>>
>>
>>
>> (3) Obtain in return an OAuth Access-Token with
>>
>> the same lifetimes/expiration as defined in the original
>>
>> service-ticket (in the AP_REQ request).
>>
>>
>>
>> (4) Present the Access-Token to an OAuth Resource Server.
>>
>>
>>
>> (ps. Alternatively, I could use the Kerberos delegation feature
>>
>> but that may be more complicated).
>>
>>
>>
>>
>>
>> I think Section 3.10 needs more fleshing-out.
>>
>>
>>
>> /thomas/
>>
>>
>>
>>
>>
>> __________________________________________
>>
>>
>>
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
>> Lisa Dusseault
>> Sent: Wednesday, June 02, 2010 1:33 PM
>> To: oauth
>> Subject: [OAUTH-WG] Assertion flow and token bootstrapping
>>
>>
>>
>> I've been trying to understand the use case for the assertion flow
>> (http://tools.ietf.org/html/draft-ietf-oauth-v2-05#section-3.10) .
>> Conversely, I have a use case for bootstrapping, and I'm trying to
>> understand if the assertion flow is the right flow for that use case.
>>
>> The bootstrapping use case I have in mind is to allow a client to interact
>> with a related set of services by bootstrapping from client secret to an
>> access token, and then from that access token to other access tokens.  For
>> example, in a "login" interaction the client would get a generic access
>> token.  Later, to use various services -- access to personal data, access to
>> friends' data, attempts to do uploads -- the client would ask the security
>> token server for access to new resources by URI, and if access was granted,
>> receive new access tokens which could be used on those services.  The client
>> secret is not reused very often, and policy is centralized.
>>
>> This seems similar to other use cases being discussed and so it's possible
>> my main point of confusion is trying to tie this to the assertion flow
>> instead of something else.
>>
>> The assertion flow has the right number of parties involved, and it could
>> certainly be hacked/extended to do bootstrapping: instead of the client
>> secret, the general session access token could be used, and the "assertion"
>> field can contain anything including the URI of the service that the client
>> now wants.  However I wondered if something less generic could make this
>> more interoperable.
>>
>> Any thoughts?
>>
>> Thanks,
>> Lisa
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>      
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.46.0 | Report a Bug | By Email | System Status