Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-02.txt

Justin Richer <jricher@mitre.org> Thu, 07 February 2013 17:01 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D11E921F8786 for <oauth@ietfa.amsl.com>; Thu, 7 Feb 2013 09:01:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.568
X-Spam-Level:
X-Spam-Status: No, score=-6.568 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eITFxFcuhM9W for <oauth@ietfa.amsl.com>; Thu, 7 Feb 2013 09:01:12 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 552C221F87C3 for <oauth@ietf.org>; Thu, 7 Feb 2013 09:01:12 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id B96851F185F; Thu, 7 Feb 2013 12:01:11 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 9FD211F1874; Thu, 7 Feb 2013 12:01:11 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.318.4; Thu, 7 Feb 2013 12:01:11 -0500
Message-ID: <5113DDB2.7060805@mitre.org>
Date: Thu, 07 Feb 2013 12:00:34 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Prabath Siriwardena <prabath@wso2.com>
References: <20130206192420.32698.21027.idtracker@ietfa.amsl.com> <5112AE0B.1080501@mitre.org> <CAJV9qO_8-4FowrXK=ae-+xMjiJFP04ryVMLQ8SGUH8kp3PHrLg@mail.gmail.com> <5113C3AA.1040701@mitre.org> <CAJV9qO8BVV57eAb5kUNes15AYOpUKqw5XWQswh-FJA=b1pPgSA@mail.gmail.com>
In-Reply-To: <CAJV9qO8BVV57eAb5kUNes15AYOpUKqw5XWQswh-FJA=b1pPgSA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090404040503090007010707"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-richer-oauth-introspection-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 17:01:14 -0000

It validates the token, which would be either the token itself in the 
case of Bearer or the token "id" part of something more complex like 
MAC. It doesn't directly validate the usage of the token, that's still 
up to the PR to do that.

I nearly added a "token type" field in this draft, but held back because 
there are several kinds of "token type" that people talk about in OAuth. 
First, there's "Bearer" vs. "MAC" vs. "HOK", or what have you. Then 
within Bearer you have "JWT" or "SAML" or "unstructured blob". Then 
you've also got "access" vs. "refresh" and other flavors of token, like 
the id_token in OpenID Connect.

Thing is, the server running the introspection endpoint will probably 
know *all* of these. But should it tell the client? If so, which of the 
three, and what names should the fields be?

  -- Justin

On 02/07/2013 11:26 AM, Prabath Siriwardena wrote:
> Okay.. I was thinking this could be used as a way to validate the 
> token as well. BTW even in this case shouldn't communicate the type of 
> token to AS? For example in the case of SAML profile - it could be 
> SAML token..
>
> Thanks & regards,
> -Prabath
>
> On Thu, Feb 7, 2013 at 8:39 PM, Justin Richer <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>     "valid" might not be the best term, but it's meant to be a field
>     where the server says "yes this token is still good" or "no this
>     token isn't good anymore". We could instead do this with HTTP
>     codes or something but I went with a pure JSON response.
>
>      -- Justin
>
>
>     On 02/06/2013 10:47 PM, Prabath Siriwardena wrote:
>>     Hi Justin,
>>
>>     I believe this is addressing one of the key missing part in OAuth
>>     2.0...
>>
>>     One question - I guess this was discussed already...
>>
>>     In the spec - in the introspection response it has the attribute
>>     "valid" - this is basically the validity of the token provided in
>>     the request.
>>
>>     Validation criteria depends on the token and well as token type (
>>     Bearer, MAC..).
>>
>>     In the spec it seems like it's coupled with Bearer token type...
>>     But I guess, by adding "token_type" to the request we can remove
>>     this dependency.
>>
>>     WDYT..?
>>
>>     Thanks & regards,
>>     -Prabath
>>
>>     On Thu, Feb 7, 2013 at 12:54 AM, Justin Richer <jricher@mitre.org
>>     <mailto:jricher@mitre.org>> wrote:
>>
>>         Updated introspection draft based on recent comments. Changes
>>         include:
>>
>>          - "scope" return parameter now follows RFC6749 format
>>         instead of JSON array
>>          - "subject" -> "sub", and "audience" -> "aud", to be
>>         parallel with JWT claims
>>          - clarified what happens if the authentication is bad
>>
>>          -- Justin
>>
>>
>>         -------- Original Message --------
>>         Subject: 	New Version Notification for
>>         draft-richer-oauth-introspection-02.txt
>>         Date: 	Wed, 6 Feb 2013 11:24:20 -0800
>>         From: 	<internet-drafts@ietf.org>
>>         <mailto:internet-drafts@ietf.org>
>>         To: 	<jricher@mitre.org> <mailto:jricher@mitre.org>
>>
>>
>>
>>         A new version of I-D, draft-richer-oauth-introspection-02.txt
>>         has been successfully submitted by Justin Richer and posted to the
>>         IETF repository.
>>
>>         Filename:	 draft-richer-oauth-introspection
>>         Revision:	 02
>>         Title:		 OAuth Token Introspection
>>         Creation date:	 2013-02-06
>>         WG ID:		 Individual Submission
>>         Number of pages: 6
>>         URL:http://www.ietf.org/internet-drafts/draft-richer-oauth-introspection-02.txt
>>         Status:http://datatracker.ietf.org/doc/draft-richer-oauth-introspection
>>         Htmlized:http://tools.ietf.org/html/draft-richer-oauth-introspection-02
>>         Diff:http://www.ietf.org/rfcdiff?url2=draft-richer-oauth-introspection-02
>>
>>         Abstract:
>>             This specification defines a method for a client or protected
>>             resource to query an OAuth authorization server to determine meta-
>>             information about an OAuth token.
>>
>>
>>                                                                                            
>>
>>
>>         The IETF Secretariat
>>
>>
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>     -- 
>>     Thanks & Regards,
>>     Prabath
>>
>>     Mobile : +94 71 809 6732 <tel:%2B94%2071%20809%206732>
>>
>>     http://blog.facilelogin.com
>>     http://RampartFAQ.com
>
>
>
>
> -- 
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com