IETF Logo Mail Archive

[OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

George Fletcher <gffletch@aol.com> Thu, 17 March 2016 17:43 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B6EB12D573 for <oauth@ietfa.amsl.com>; Thu, 17 Mar 2016 10:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mx.aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kmC8RBmHzg_t for <oauth@ietfa.amsl.com>; Thu, 17 Mar 2016 10:43:53 -0700 (PDT)
Received: from omr-a018e.mx.aol.com (omr-a018e.mx.aol.com [204.29.186.64]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 183D712DA16 for <oauth@ietf.org>; Thu, 17 Mar 2016 10:37:26 -0700 (PDT)
Received: from mtaout-aao01.mx.aol.com (mtaout-aao01.mx.aol.com [172.27.21.13]) by omr-a018e.mx.aol.com (Outbound Mail Relay) with ESMTP id 634903800046 for <oauth@ietf.org>; Thu, 17 Mar 2016 13:37:25 -0400 (EDT)
Received: from [10.172.102.179] (unknown [10.172.102.179]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aao01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id BAD6F38000083 for <oauth@ietf.org>; Thu, 17 Mar 2016 13:37:24 -0400 (EDT)
To: "oauth@ietf.org" <oauth@ietf.org>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56EAEB54.8010208@aol.com>
Date: Thu, 17 Mar 2016 13:37:24 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1458236245; bh=L22Vhs4wepMPatF7hn2HFeJ+KH36Ieu2a7p3lYTba+Y=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=dJOnxM5vrKimBL5qD4K/gn5PAh3/Uf5i+LIA/AlSodlAyR/njDhxknPCHV/bREE7g pbpGvHHZSetbcgYepKoKmQWqqsE1NBkcBUyP3i/95D6qcD4JE+MTnOsLAoCf3cp/lj 1BLQS6sITM4UiEAz96kB1J3+Qb+x6tfmxgNkKCIQ=
x-aol-sid: 3039ac1b150d56eaeb541f49
X-AOL-IP: 10.172.102.179
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/f7ZL-kSAFexuFbGvBj_N6cLmMTg>
Subject: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 17:43:54 -0000

Goals:

1. Help the client not send a token to the "wrong" endpoint
    a. wrong AS /token endpoint
    b. evil RS endpoint(s)
2. Allow good RS to determine if the token being validated was intended 
for that RS

Other high-level goals?

Use cases:

1. RS that supports multiple AS (we've had this in production since 2011)
2. RS rejects token not issued for use at the RS
3. Client that dynamically supports new RS (say any client that supports 
the jabber API)
4. Client that dynamically supports new AS

Feel free to add to the list :)

v2.23.0 | Report a Bug | By Email