IETF Logo Mail Archive

[OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Prateek Mishra <prateek.mishra@oracle.com> Wed, 31 July 2013 21:38 UTC

Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FE6121E80D1 for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2013 14:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.998
X-Spam-Level:
X-Spam-Status: No, score=-5.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mU3kdYAbNxQM for <oauth@ietfa.amsl.com>; Wed, 31 Jul 2013 14:38:46 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id B367C21E80C1 for <oauth@ietf.org>; Wed, 31 Jul 2013 14:38:46 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r6VLchuE004979 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 31 Jul 2013 21:38:44 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r6VLchdb022073 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 31 Jul 2013 21:38:43 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r6VLcgAF022032; Wed, 31 Jul 2013 21:38:42 GMT
Received: from [192.168.2.5] (/24.91.51.58) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 31 Jul 2013 14:38:42 -0700
Message-ID: <51F983E3.1020400@oracle.com>
Date: Wed, 31 Jul 2013 17:38:43 -0400
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Nat Sakimura <sakimura@gmail.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle.com> <CABzCy2D4CJUMEQ32JNba8H4veBfgXOvj_J0rT7VmTtT-N_7BKQ@mail.gmail.com>
In-Reply-To: <CABzCy2D4CJUMEQ32JNba8H4veBfgXOvj_J0rT7VmTtT-N_7BKQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000007040908020008080809"
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2013 21:38:51 -0000

Nat -

thanks for the detailed response. I did review the links you sent out 
but it remained unclear to me which
features are MTI and which are not. For example, there is nothing in the 
Basic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for " 
non-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft 
specification text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which 
described several different
operational modes and explained how only a small set of features needed 
to be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth 
community to consider the need for
a minimal extension to OAuth that accommodates authentication. The 
community should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html 


and that there doesn't appear to be a simple solution that is currently 
available. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek

>
> Inline:
>
> 2013/7/31 Prateek Mishra <prateek.mishra@oracle.com 
> <mailto:prateek.mishra@oracle.com>>
>
>     Nat -
>
>     your blog posting is helpful to those of us who are looking for a
>     minimal extension of OAuth with
>     an authenticator.  Many implementors are seeking a modest
>     extension of OAuth, not an entire new protocol
>     stack.   I believe that is the point of Phil Hunt's proposal to
>     the OAuth committee.
>
>     I do have some questions for about the statements made in the blog -
>
>     A) Can you direct me to a single OpenID Connect draft
>     specification document where steps 1 and 2 are described?
>
>
> Actually, it is not a single spec, that the Standard is referencing 
> others.
> The Standard is kind of cluttered because it has 6 response types and 
> three request types in it.
> I suppose it would be much easier for the readers to split them into 
> coherent pieces, though that means duplicate texts.
>
> The easiest approach here is to read the Basic Client Profile. 
> http://openid.net/specs/openid-connect-basic-1_0-28.html
> Then, read OAuth 2.0 Multiple Response Type Encoding Practices 
> http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html .
>
>
>     B) If I implement steps 1 and 2, do I then have a conformant
>     OpenID Connect implementation? Are there no
>     other MTI protocol exchanges in OpenID Connect?
>
>
> Yes, for a non-dynamic OpenID Connect Server.
>
> Nat
>
>
>     Thanks,
>     prateek
>
>
>
>
>>     I have written a short blog post titled "Write an OpenID Connect
>>     server in three simple steps
>>     <http://nat.sakimura.org/2013/07/28/write-openid-connect-server-in-three-simple-steps/>".
>>
>>
>>     Really, there is not much you need to on top of OAuth 2.0.
>>
>>     It puzzles me why you need to create a draft with only minor
>>     variances in parameter names.
>>
>>         e.g.,
>>         session instead of id_token
>>         lat instead of iat
>>         alv instead of acr
>>         etc.
>>
>>
>>     If you change those parameter names, you will have a conformant
>>     profile of OpenID Connect.
>>
>>     Nat
>>
>>
>>     2013/7/31 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
>>
>>         Connect dosen't require a userinfo endpoint.   It is required
>>         for interoperability if you are building an open IdP.   For
>>         an enterprise type deployment discovery, registration,
>>         userifo are all optional.
>>
>>         The server is required to pass the nonce which is equivalent
>>         to a request ID through to the JWT if the client sends it in
>>         the request.
>>
>>         Justin is correct.
>>
>>         John B.
>>
>>         On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com
>>         <mailto:phil.hunt@oracle.com>> wrote:
>>
>>>         Forgot reply all.
>>>
>>>         Phil
>>>
>>>         Begin forwarded message:
>>>
>>>>         *From:* Phil Hunt <phil.hunt@oracle.com
>>>>         <mailto:phil.hunt@oracle.com>>
>>>>         *Date:* 30 July, 2013 17:25:46 GMT+02:00
>>>>         *To:* "Richer, Justin P." <jricher@mitre.org
>>>>         <mailto:jricher@mitre.org>>
>>>>         *Subject:* *Re: [OAUTH-WG] New Version Notification for
>>>>         draft-hunt-oauth-v2-user-a4c-00.txt*
>>>>
>>>>         The whole point is authn only. Many do not want or need the
>>>>         userinfo endpoint.
>>>>
>>>>         Phil
>>>>
>>>>         On 2013-07-30, at 17:17, "Richer, Justin P."
>>>>         <jricher@mitre.org <mailto:jricher@mitre.org>> wrote:
>>>>
>>>>>         What do you mean? You absolutely can implement a compliant
>>>>>         OIDC server nearly as simply as this. The things that
>>>>>         you're missing I think are necessary for basic
>>>>>         interoperable functionality, and are things that other
>>>>>         folks using OAuth for authentication have also
>>>>>         implemented. Namely:
>>>>>
>>>>>          - Signing the ID token (OIDC specifies the RS256 flavor
>>>>>         of JWS, which is easy to do with JWT). Without a signed
>>>>>         and verifiable ID token or equivalent, you're asking for
>>>>>         all kinds of token injection problems.
>>>>>          - Session management requests (max auth age, auth time)
>>>>>          - Not fall over with other parameters that you don't
>>>>>         support (display, prompt, etc).
>>>>>
>>>>>         See here for more information:
>>>>>
>>>>>         http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI
>>>>>
>>>>>         Additionally, something that's really important to support
>>>>>         is the User Info Endpoint, so you can actually get user
>>>>>         profile information beyond just the simple "someone was
>>>>>         here" claim -- this was the real value of Facebook Connect
>>>>>         from an RP's perspective. Some people will probably want
>>>>>         to use SCIM for this, too, and that's fine.
>>>>>
>>>>>          -- Justin
>>>>>
>>>>>         On Jul 30, 2013, at 10:54 AM, Phil Hunt
>>>>>         <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>>
>>>>>          wrote:
>>>>>
>>>>>>         The oidc specs do not allow this simple an
>>>>>>         implementation. The spec members have not shown interest
>>>>>>         in making changes as they say they are too far down the road.
>>>>>>
>>>>>>         I have tried to make my draft as close as possible to
>>>>>>         oidc but maybe it shouldn't be clarity wise. I am
>>>>>>         interested in what the group feels is clearest.
>>>>>>
>>>>>>         From an ietf perspective the concern is improper use of
>>>>>>         the 6749 for authn. Is this a bug or gap we need to address?
>>>>>>
>>>>>>         Phil
>>>>>>
>>>>>>         On 2013-07-30, at 16:46, "Richer, Justin P."
>>>>>>         <jricher@mitre.org <mailto:jricher@mitre.org>> wrote:
>>>>>>
>>>>>>>         From what I read, you've defined something that uses an
>>>>>>>         OAuth 2 code flow to get an extra token which is
>>>>>>>         specified as a JWT. You named it "session_token" instead
>>>>>>>         of "id_token", and you've left off the User Information
>>>>>>>         Endpoint -- but other than that, this is exactly the
>>>>>>>         Basic Client for OpenID Connect. In other words, if you
>>>>>>>         change the names on things you've got OIDC, but without
>>>>>>>         the capabilities to go beyond a very basic "hey there's
>>>>>>>         a user here" claim. This is the same place that OpenID
>>>>>>>         2.0 started, and it was very, very quickly extended with
>>>>>>>         SREG, AX, PAPE, and others for it to be useful in the
>>>>>>>         real world of distributed logins. You've also left out
>>>>>>>         discovery and registration which are required for
>>>>>>>         distributed deployments, but I'm guessing that those
>>>>>>>         would be modular components that could be added in (like
>>>>>>>         they are in OIDC).
>>>>>>>
>>>>>>>         I've heard complaints that OIDC is complicated, but it's
>>>>>>>         really not. Yes, I agree that the giant stack of
>>>>>>>         documents is intimidating and in my opinion it's a bit
>>>>>>>         of a mess with Messages and Standard split up (but I
>>>>>>>         lost that argument years ago). However, at the core,
>>>>>>>         you've got an OAuth2 authorization server that spits out
>>>>>>>         access tokens and id tokens. The id token is a JWT with
>>>>>>>         some known claims (iss, sub, etc) and is issued along
>>>>>>>         side the access token, and its audience is the *client*
>>>>>>>         and not the *protected resource*. The access token is a
>>>>>>>         regular old access token and its format is undefined (so
>>>>>>>         you can use it with an existing OAuth2 server setup,
>>>>>>>         like we have), and it can be used at the User Info
>>>>>>>         Endpoint to get profile information about the user who
>>>>>>>         authenticated. It could also be used for other services
>>>>>>>         if your AS/IdP protects multiple things.
>>>>>>>
>>>>>>>         So I guess what I'm missing is what's the value
>>>>>>>         proposition in this spec when we have something that can
>>>>>>>         do this already? And this doesn't seem to do anything
>>>>>>>         different (apart from syntax changes)?
>>>>>>>
>>>>>>>          -- Justin
>>>>>>>
>>>>>>>         On Jul 29, 2013, at 4:14 AM, Phil Hunt
>>>>>>>         <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>>>>>>
>>>>>>>>         FYI.  I have been noticing a substantial number of
>>>>>>>>         sites acting as OAuth Clients using OAuth to
>>>>>>>>         authenticate users.
>>>>>>>>
>>>>>>>>         I know several of us have blogged on the issue over the
>>>>>>>>         past year so I won't re-hash it here.  In short, many
>>>>>>>>         of us recommended OIDC as the correct methodology.
>>>>>>>>
>>>>>>>>         Never-the-less, I've spoken with a number of service
>>>>>>>>         providers who indicate they are not ready to make the
>>>>>>>>         jump to OIDC, yet they agree there is a desire to
>>>>>>>>         support authentication only (where as OIDC does
>>>>>>>>         IDP-like services).
>>>>>>>>
>>>>>>>>         This draft is intended as a minimum authentication only
>>>>>>>>         specification.  I've tried to make it as compatible as
>>>>>>>>         possible with OIDC.
>>>>>>>>
>>>>>>>>         For now, I've just posted to keep track of the issue so
>>>>>>>>         we can address at the next re-chartering.
>>>>>>>>
>>>>>>>>         Happy to answer questions and discuss.
>>>>>>>>
>>>>>>>>         Phil
>>>>>>>>
>>>>>>>>         @independentid
>>>>>>>>         www.independentid.com <http://www.independentid.com/>
>>>>>>>>         phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>         Begin forwarded message:
>>>>>>>>
>>>>>>>>>         *From: *internet-drafts@ietf.org
>>>>>>>>>         <mailto:internet-drafts@ietf.org>
>>>>>>>>>         *Subject: **New Version Notification for
>>>>>>>>>         draft-hunt-oauth-v2-user-a4c-00.txt*
>>>>>>>>>         *Date: *29 July, 2013 9:49:41 AM GMT+02:00
>>>>>>>>>         *To: *Phil Hunt <phil.hunt@yahoo.com
>>>>>>>>>         <mailto:phil.hunt@yahoo.com>>, Phil Hunt
>>>>>>>>>         <None@ietfa.amsl.com <mailto:None@ietfa.amsl.com>>,
>>>>>>>>>         Phil Hunt <>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
>>>>>>>>>         has been successfully submitted by Phil Hunt and
>>>>>>>>>         posted to the
>>>>>>>>>         IETF repository.
>>>>>>>>>
>>>>>>>>>         Filename:draft-hunt-oauth-v2-user-a4c
>>>>>>>>>         Revision:00
>>>>>>>>>         Title:OAuth 2.0 User Authentication For Client
>>>>>>>>>         Creation date:2013-07-29
>>>>>>>>>         Group:Individual Submission
>>>>>>>>>         Number of pages: 9
>>>>>>>>>         URL:
>>>>>>>>>         http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
>>>>>>>>>         Status:
>>>>>>>>>         http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>>>>>>>>         Htmlized:
>>>>>>>>>         http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         Abstract:
>>>>>>>>>           This specification defines a new OAuth2 endpoint
>>>>>>>>>         that enables user
>>>>>>>>>           authentication session information to be shared with
>>>>>>>>>         client
>>>>>>>>>           applications.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         Please note that it may take a couple of minutes from
>>>>>>>>>         the time of submission
>>>>>>>>>         until the htmlized version and diff are available at
>>>>>>>>>         tools.ietf.org <http://tools.ietf.org/>.
>>>>>>>>>
>>>>>>>>>         The IETF Secretariat
>>>>>>>>>
>>>>>>>>
>>>>>>>>         _______________________________________________
>>>>>>>>         OAuth mailing list
>>>>>>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>     -- 
>>     Nat Sakimura (=nat)
>>     Chairman, OpenID Foundation
>>     http://nat.sakimura.org/
>>     @_nat_en
>>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en

v2.23.0 | Report a Bug | By Email