[OAUTH-WG] SASL / OAuth Binding Request: User Field
Ryan Troll <rtroll@googlers.com> Mon, 16 July 2012 18:46 UTC
Return-Path: <rtroll@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B86511E80D3 for <oauth@ietfa.amsl.com>; Mon, 16 Jul 2012 11:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.976
X-Spam-Level:
X-Spam-Status: No, score=-102.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJtfhjvEyL1r for <oauth@ietfa.amsl.com>; Mon, 16 Jul 2012 11:46:07 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5315B11E8072 for <oauth@ietf.org>; Mon, 16 Jul 2012 11:46:07 -0700 (PDT)
Received: by qcac10 with SMTP id c10so3935333qca.31 for <oauth@ietf.org>; Mon, 16 Jul 2012 11:46:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlers.com; s=googlers; h=mime-version:date:message-id:subject:from:to:content-type :x-system-of-record; bh=KaA9UzoHhpMYWG9afuXKY2GTruJ2AJO5HMXie7CJsho=; b=gVxX6Jo1BFUFOBtKaWndkPKBEMj51axcaY/hCOppcf13d3wepbyNN5+QvqWoDh3eF5 +3W5Kffcn7dDR/mPsuiJNatV4++25YuTiP9hkyrSWBs4BNG9i/jTUank8pS/FfAwyaTj lXglHaA2UEX5SQRWfSb+u5XkGwPK6BFuM5YhI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-system-of-record:x-gm-message-state; bh=KaA9UzoHhpMYWG9afuXKY2GTruJ2AJO5HMXie7CJsho=; b=dU/fx2AllThyFDp59feb6omBmCfc03jTs7BMxuOljej4+l/hzMpdLVfMhNqBvLsQY9 qhDd5vGReED9UjQ+SdDrw6IN/Yn40RlwD1Nb0eVTU8ODgI4bIjNqLJ9TAAjHGWzreBCR gVRmPhYKfyDItnECzQ4dYui/rCz0cfKLywVxWfw/PyZUkOZiyMfpIPQhu6XPU6nDUaPj moC99wJWGbSdwJGavRXtnU8eUuZUbbOMYXQxbssLB6w81Ye1vGQUIL/VuJEhTGrRNy1t GLMShHk4a7KrTd7S/QprI8sDVZd6z8kWfZBCJUOm8h7C5YiGB7KiHJlt5xlotW6mwSK2 mQQw==
Received: by 10.224.70.195 with SMTP id e3mr23066803qaj.86.1342464412137; Mon, 16 Jul 2012 11:46:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.70.195 with SMTP id e3mr23066771qaj.86.1342464411857; Mon, 16 Jul 2012 11:46:51 -0700 (PDT)
Received: by 10.229.201.230 with HTTP; Mon, 16 Jul 2012 11:46:51 -0700 (PDT)
Date: Mon, 16 Jul 2012 11:46:51 -0700
Message-ID: <CAPe4Cjr=XrCyubv2tihuRaO0tfidQToJ3_bMMpmxcZPsXDEQpg@mail.gmail.com>
From: Ryan Troll <rtroll@googlers.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="bcaec51a8dee6471ac04c4f6daad"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQlyojEANwCDoRnUgh/bU1oztMfsS9HT33AuLgAJm16m1YfJrx3YnJhyTmYxfb9sFor/RpG6IgAKKDlbtUmNUvLCAHMOXSlNGjg7hrwmxMumGom1LQ/ItYGQH3MZMWZaAOSiOT22nnZlqp7ITiaJ33TGV3mZ0+ejplYH6JKCv2RuYh6s8yg=
Subject: [OAUTH-WG] SASL / OAuth Binding Request: User Field
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2012 18:52:18 -0000
I'd like to discuss the possibility of adding a "user" field to the SASL/OAuth request. This is based on draft-ietf-kitten-sasl-oauth-00.txt. *Background* The contents of this field may be used by the resource provider as a hint to aid in request routing, and/or data location, without the need for decrypting the provided access token. The contents of the user field is not used to grant access of any kind. *Proposed Addition* The text of this addition could look something like this: Section 3.1 addition / update: user: Contains the user ID of the user being authorized In authorization schemes that use signatures, the client MUST send host, port number and user key/values, and the server MUST fail authorization requests requiring signatures that do not have host, port, and user values. Section 3.2 addition: If the user field is present, the ID in the user field must match the ID obtained from the credential for the request to succeed. *Rationale for Presence of User Field in the Request* This data is not required by all resource providers, and as such could be a provider-specific requirement, placed (for example) in the query string. By documenting the user field, we encourage resource providers that do require it to find it in the same location - encouraging inter-operability. The user identity could be determined via the access token, rather than requiring it in the request. However, using the access token to determine the identity can result in the resource provider decoding the token multiple times, or making multiple requests to the access provider. By pulling this attribute out into the protocol, we may be able to simplify the resource provider work required when moving to OAuth. *Rationale for Location of User Field* This data could be transmitted as part of the path, or a query string parameter, or in the post body. This approach, using a header, was proposed as there are currently no path, query string, or post fields defined. Those three locations remain untouched by this proposal. * * * * Comments? -R
- [OAUTH-WG] SASL / OAuth Binding Request: User Fie… Ryan Troll
- Re: [OAUTH-WG] SASL / OAuth Binding Request: User… William Mills