Re: [OAUTH-WG] Seeking feedback on UMA's use of OAuth and discovery mechanisms
John Panzer <jpanzer@google.com> Tue, 24 November 2009 02:53 UTC
Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52DA728C1E2 for <oauth@core3.amsl.com>; Mon, 23 Nov 2009 18:53:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.17
X-Spam-Level:
X-Spam-Status: No, score=-105.17 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1KTCkVbDmVN for <oauth@core3.amsl.com>; Mon, 23 Nov 2009 18:53:52 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.45.13]) by core3.amsl.com (Postfix) with ESMTP id DE8B028C1D5 for <oauth@ietf.org>; Mon, 23 Nov 2009 18:53:51 -0800 (PST)
Received: from zps77.corp.google.com (zps77.corp.google.com [172.25.146.77]) by smtp-out.google.com with ESMTP id nAO2rkE1013616 for <oauth@ietf.org>; Mon, 23 Nov 2009 18:53:47 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1259031227; bh=emQ/YavKWfaBSD6TsAmuXbcdNHg=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=bm5T8AkS0uhe01XQhAaouEpOI3XyzEP03VBVu/BzHi4Yjk2KE6uZM2asuWKyRsg42 iEoaPqhAaXjwxXDrchycA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=OBhvXWLTQYUvpux6ilLAW+UHsp/hF+9A77ND0L/5grIEcd3JezFxkXaGS83ddG05P xD2+kBNm/OoaQLT281rSQ==
Received: from pwi15 (pwi15.prod.google.com [10.241.219.15]) by zps77.corp.google.com with ESMTP id nAO2riBT025325 for <oauth@ietf.org>; Mon, 23 Nov 2009 18:53:44 -0800
Received: by pwi15 with SMTP id 15so4036652pwi.24 for <oauth@ietf.org>; Mon, 23 Nov 2009 18:53:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.9.6 with SMTP id 6mr10909382wai.35.1259031224089; Mon, 23 Nov 2009 18:53:44 -0800 (PST)
In-Reply-To: <BA53F346-D288-473F-9B71-BC645DEF00D6@xmlgrrl.com>
References: <BA53F346-D288-473F-9B71-BC645DEF00D6@xmlgrrl.com>
From: John Panzer <jpanzer@google.com>
Date: Mon, 23 Nov 2009 18:53:24 -0800
Message-ID: <cb5f7a380911231853x61cf7678paa3e608a3fa60b36@mail.gmail.com>
To: Eve Maler <eve@xmlgrrl.com>
Content-Type: multipart/alternative; boundary="00504502e165df7be00479150cc6"
X-System-Of-Record: true
Cc: oauth@googlegroups.com, oauth@ietf.org
Subject: Re: [OAUTH-WG] Seeking feedback on UMA's use of OAuth and discovery mechanisms
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 02:53:53 -0000
It sounds very interesting. In OAuth terms, I think it adds, to the basic OAuth 3 legged flow, the ability to delegate the authorization decisions 'normally' made out of band of the OAuth protocol to a completely separate service. Aftet 60 seconds looking at it, my first silly question is how the AM service is determined -- it looks like everything is based on LRDD starting from the resource being accessed? -- John Panzer / Google jpanzer@google.com / abstractioneer.org / @jpanzer On Mon, Nov 23, 2009 at 6:04 PM, Eve Maler <eve@xmlgrrl.com> wrote: > The User-Managed Access effort[1], previously mentioned on this list as > "ProtectServe", intends to solve user-driven permissioning (authorization) > problems at Internet scale. It is designed to be modular, and to reuse and > profile existing technology as much as possible. Therefore, we have > attempted to "stay out of the business of authentication", profiling OAuth > lightly in order to do so. > > The UMA group would be grateful for your feedback on our intended usage of > OAuth and its emerging discovery methods. Details can be found in the worked > example in our spec[2]; various explanatory materials about UMA in general > are available as well.[3] > > Briefly, the UMA protocol has four distinct parties vs. OAuth's three: > there's an authorizing user, a consumer/client (which we call a"requester"), > an SP/server (which we call a "host"), and an authorization manager. We > compose three instances of OAuth to introduce all these parties > appropriately to each other: there's user/host/AM (three-legged), > requester/host (two-legged), and requester/AM (another two-legged). Because > of our goals to allow most of these parties to meet fairly dynamically, we > are leaning quite heavily on XRD and LRDD for discovery; various simplifying > assumptions could probably be made to simplify this picture, however. > > (If you find UMA's use cases and design center interesting, you'd be very > welcome at the table.[4]) > > Thanks, > > Eve > UMA group chair > > [1] http://kantarainitiative.org/confluence/display/uma/Home > [2] > http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol > [3] http://kantarainitiative.org/confluence/display/uma/UMA+Explained > [4] http://signup.kantarainitiative.org/?selectedGroup=11 > > > Eve Maler > eve@xmlgrrl.com > http://www.xmlgrrl.com/blog > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >