IETF Logo Mail Archive

Re: [OAUTH-WG] December 27, 2012 OAuth Release

John Bradley <ve7jtb@ve7jtb.com> Fri, 04 January 2013 23:44 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9925F21F8B19 for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 15:44:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[AWL=0.601, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ew9vqJjJv28u for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 15:44:36 -0800 (PST)
Received: from mail-vb0-f52.google.com (mail-vb0-f52.google.com [209.85.212.52]) by ietfa.amsl.com (Postfix) with ESMTP id 7F66B21F8B08 for <oauth@ietf.org>; Fri, 4 Jan 2013 15:44:36 -0800 (PST)
Received: by mail-vb0-f52.google.com with SMTP id ez10so17140698vbb.11 for <oauth@ietf.org>; Fri, 04 Jan 2013 15:44:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=FSZFt4YmxOgRQcJTfhbsex+IZmAiNXDvytLNrbqGvT8=; b=pwnB30IP3e3iiu1SypEPKtb7wDKvtrjz9bqQz1Po7FrOn7brBGxEEI+PxnN0My5Kia MWj8ptg3EjcxkL16qtiMXwXfS6VIc7PuZWulKXfYV6L6PBYKWBeL/y4Q1WLL8sk16C6C ed8NCEnZKICWtiqk2PS5abdBVWq5AL9I2YF1lPkNspFt9zBt4NZHdGNSaRT4v3JvxQN0 3iOQy3y+ybMo4otvaMtb0yTY6ZUp8nx3/TTca2L7Eq1GnN8AlUrS+uF9oL1IOub+1ZRL Ghsn0+qf7W0ymh+/OToW65Uku53qdwZen0ICBON1y96LjQyEyjR3MM+KAM5foZcnck7A UIEg==
X-Received: by 10.52.36.100 with SMTP id p4mr70943448vdj.16.1357343075918; Fri, 04 Jan 2013 15:44:35 -0800 (PST)
Received: from [192.168.1.211] (190-20-25-66.baf.movistar.cl. [190.20.25.66]) by mx.google.com with ESMTPS id bj15sm47640566vdc.7.2013.01.04.15.44.32 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 04 Jan 2013 15:44:34 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_433E7DCC-D018-458C-8078-4CF948E28CED"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <1357339700.37914.YahooMailNeo@web31816.mail.mud.yahoo.com>
Date: Fri, 04 Jan 2013 20:44:26 -0300
Message-Id: <E7EF196D-1771-477E-932B-917A4A85D5A6@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B1680429673943669B0A1E@TK5EX14MBXC283.redmond.corp.microsoft.com> <1356746794.51868.YahooMailNeo@web31807.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B1680429673943669FE2AD@TK5EX14MBXC283.redmond.corp.microsoft.com> <1357339700.37914.YahooMailNeo@web31816.mail.mud.yahoo.com>
To: William Mills <wmills_92105@yahoo.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQkzLjDEregdDU+5V9QKX/8edM2BIKqyd2yyzg4rNZOts1ElPJWKqqJl+i8Ffu2oIaS5MeH5
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2013 23:44:37 -0000

If everything you want to sign can go in the JWT there is nothing to stop that.   Otherwise you are back to coming up with a way of doing a detached signature and putting a hash in the JWT like connect is doing by putting a hash of the token in the id_token for the "token id_token} flow.

The hard part is figuring out what needs to be signed.   

As for client generated JWT we already have the JWT assertion profile.  Connect is using that as an option to authenticate to the token endpoint. 

Would doing a similar thing but to the RS really work for you?

John B.
On 2013-01-04, at 7:48 PM, William Mills <wmills_92105@yahoo.com> wrote:

> It's the core problem I see MAC solving.  I'd be happy enough to define a JWT variant that does this if that's easier than MAC.  What do you think?
> 
> From: Mike Jones <Michael.Jones@microsoft.com>
> To: William Mills <wmills_92105@yahoo.com>; "oauth@ietf.org" <oauth@ietf.org> 
> Sent: Friday, January 4, 2013 2:35 PM
> Subject: RE: [OAUTH-WG] December 27, 2012 OAuth Release
> 
> There’s no generic OAuth way to do this.  There is a way to do it in OpenID Connect – see request_object_signing_alg, userinfo_signed_response_alg, and id_token_signed_response_alg in http://openid.net/specs/openid-connect-registration-1_0-13.html#anchor3 and userinfo_signing_alg_values_supported, id_token_signing_alg_values_supported, and request_object_signing_alg_values_supported in http://openid.net/specs/openid-connect-discovery-1_0-11.html#anchor9.
>  
>                                                             -- Mike
>  
> From: William Mills [mailto:wmills_92105@yahoo.com] 
> Sent: Friday, December 28, 2012 6:07 PM
> To: Mike Jones; oauth@ietf.org
> Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
>  
> Mike,
>  
> I've read through the JWT spec and I'm curious about something.  How do I specify a signature requirement as the server?  I didn't see it but I probably just missed it.  I'm thinking that with very little work a JWT can do everything that MAC does with greater flexibility, *BUT* the server needs to be able to require a signed usage.  Something I never liked about OAuth 1.0 is that the server must support all valid signature types, even PLAINTEXT, so I want to be able to avoid that.
>  
> It would require the client to be able to include client generated stuff in the JWT.
>  
> Thanks,
>  
> -bill
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email