Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
George Fletcher <gffletch@aol.com> Fri, 18 March 2016 14:14 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A90412D5C9 for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 07:14:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mx.aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEkrIR6xXG3x for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 07:14:37 -0700 (PDT)
Received: from omr-a018e.mx.aol.com (omr-a018e.mx.aol.com [204.29.186.64]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B85FA12D582 for <oauth@ietf.org>; Fri, 18 Mar 2016 07:14:35 -0700 (PDT)
Received: from mtaout-aam02.mx.aol.com (mtaout-aam02.mx.aol.com [172.27.19.146]) by omr-a018e.mx.aol.com (Outbound Mail Relay) with ESMTP id EECCE3800262; Fri, 18 Mar 2016 10:14:34 -0400 (EDT)
Received: from [10.172.102.179] (unknown [10.172.102.179]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aam02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 7A56838000086; Fri, 18 Mar 2016 10:14:34 -0400 (EDT)
To: Thomas Broyer <t.broyer@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <56EAEB54.8010208@aol.com> <CAEayHEO9b+AQ4bT0Zjy4UvqE9qv6Yv1QivjLZiWe=cuNMppGuA@mail.gmail.com> <56EBF9A8.8070909@aol.com> <CAEayHEOg4=FMJDpPXk1inDV9WjstNBemqg_Jb7=Xh4YZSOmzWg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56EC0D4A.2060309@aol.com>
Date: Fri, 18 Mar 2016 10:14:34 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <CAEayHEOg4=FMJDpPXk1inDV9WjstNBemqg_Jb7=Xh4YZSOmzWg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060108010709060107020509"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1458310474; bh=krsKgp36adLx2iZnLpTCrr/5L1OFiGc2aArsrwP8TDQ=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=sqSXkdDt04CUR/2fUF6BObnqUV0SUBE5GWWseP0wo499sgszU+rzJIDJOkNOSSHAK PGYi25BGbHEJHLYKE3qNMs11J9LkdqLP6gawDyuG5VZO42I8pY4I6m2UurNzhDisJF P1XZS6ssU4lEgBgpTyMEgqnNCmaVg71TMoXl/n5s=
x-aol-sid: 3039ac1b139256ec0d4a091c
X-AOL-IP: 10.172.102.179
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/fl642zNbJuKEsCp6F4kl-n01-GQ>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 14:14:40 -0000
This is pretty much what we do today as well. The additional goal is to specifically bind tokes to a particular resource outside the context of the scope value. Just like in SAML, the RS would not process any token which was not specifically created for use with that RS. So it's an additional layer of protection beyond scopes. Thanks, George On 3/18/16 9:59 AM, Thomas Broyer wrote: > > > On Fri, Mar 18, 2016 at 1:50 PM George Fletcher <gffletch@aol.com > <mailto:gffletch@aol.com>> wrote: > > I was thinking of goal #2 as addressing the issue of audience in > the token. If the RS "authenticates" itself when calling > introspection, then the AS could apply the audience restriction > for the RS. Is that what you were thinking? > > > Yes (or I think so). > Scopes are declared in relation to "applications" (which can be either > clients or RS), and our introspection endpoint returns > {"active":false} if there's no matching scopes between what the > "application" has declared and those of the token. > We actually do "scope restriction" (only returning the scopes related > to the requesting application), with the added rule that if there's no > scope left we return {"active":false} rather than an empty list of scopes.
- [OAUTH-WG] Use cases for Audience Restricted toke… George Fletcher
- Re: [OAUTH-WG] Use cases for Audience Restricted … Thomas Broyer
- Re: [OAUTH-WG] Use cases for Audience Restricted … George Fletcher
- Re: [OAUTH-WG] Use cases for Audience Restricted … Justin Richer
- Re: [OAUTH-WG] Use cases for Audience Restricted … Thomas Broyer
- Re: [OAUTH-WG] Use cases for Audience Restricted … George Fletcher
- Re: [OAUTH-WG] Use cases for Audience Restricted … Brian Campbell
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt (IDM)
- Re: [OAUTH-WG] Use cases for Audience Restricted … Brian Campbell
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt
- Re: [OAUTH-WG] Use cases for Audience Restricted … Phil Hunt
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley
- Re: [OAUTH-WG] Use cases for Audience Restricted … John Bradley