IETF Logo Mail Archive

Re: [OAUTH-WG] First draft of OAuth 2.0

Chuck Mortimore <cmortimore@salesforce.com> Tue, 23 March 2010 19:05 UTC

Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E97E3A682E for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 12:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.868
X-Spam-Level:
X-Spam-Status: No, score=-2.868 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7krcEA-Xj94m for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 12:05:11 -0700 (PDT)
Received: from exprod8og106.obsmtp.com (exprod8og106.obsmtp.com [64.18.3.92]) by core3.amsl.com (Postfix) with SMTP id 805523A6B77 for <oauth@ietf.org>; Tue, 23 Mar 2010 12:05:05 -0700 (PDT)
Received: from source ([204.14.239.239]) by exprod8ob106.postini.com ([64.18.7.12]) with SMTP ID DSNKS6kQ9OxG6aAr4OU7cxPLATJISO1dMg7N@postini.com; Tue, 23 Mar 2010 12:05:25 PDT
Received: from EXSFM-MB01.internal.salesforce.com ([10.1.127.45]) by exsfm-hub4.internal.salesforce.com ([10.1.127.8]) with mapi; Tue, 23 Mar 2010 12:05:23 -0700
From: Chuck Mortimore <cmortimore@salesforce.com>
To: David Recordon <recordond@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Tue, 23 Mar 2010 12:05:23 -0700
Thread-Topic: [OAUTH-WG] First draft of OAuth 2.0
Thread-Index: AcrKsQgTRs41vBtcSp2k8oS5FxFUawACsHqS
Message-ID: <C7CE5F03.28E6%cmortimore@salesforce.com>
In-Reply-To: <fd6741651003231047s419db471x98098a2e46aab168@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C7CE5F0328E6cmortimoresalesforcecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] First draft of OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 19:05:18 -0000

No worries - I figured it would be easier to push for it's inclusion if the work were minimal.

We will definitely need to implement this style of profile, as will many others, so it's essential it ends in some spec.   Personally I'd rather see a relatively thin spec that includes the critical profiles, rather than core + profile + bindings + etc like SAML.   However I'm open to any approach that get's the profile included.

I'd be happy to be listed as an author, but it's more important that whomever authored the original assertion profile get listed/credit.   Not sure if that was Dick or one of the other authors...perhaps they can chime in.

-cmort



On 3/23/10 10:47 AM, "David Recordon" <recordond@gmail.com> wrote:

Hey Chuck,
Thanks for rewriting the SAML flow into the style of my draft!  I
really appreciate it.

I originally dropped the SAML flow because I hadn't seen support for
it on the mailing list(s) the past two months.  I think that our
default should be making the spec as short and simple as possible so
removed a few things from WRAP in order to start conversations like
this one.  It's now clear that Google, Microsoft, Salesforce, and IBM
all need the SAML profile.  Chuck, I'll merge your wording in.  Want
to be listed as an author?

We're also going to need to figure out which flows should be in the
core spec versus which should be developed at the same time but in
individual documents.

Thanks,
--David

On Tue, Mar 23, 2010 at 4:50 AM, Torsten Lodderstedt
<torsten@lodderstedt.net> wrote:
> +1 for assertion support
>
> what about enhancing the flow #2.4 to accept any kind of user credentials
> (username/password, SAML assertions, other authz servers tokens)
>
> regards,
> Torsten.
>
> Am 23.03.2010 um 12:42 schrieb Mark Mcgloin <mark.mcgloin@ie.ibm.com>:
>
>> +1 for assertion profile. Was there any reason why it was dropped?
>>
>> On 3/23/10, Chuck Mortimore wrote:
>>>
>>> Just getting a chance to review this - I apologize for not getting this
>>
>> before the meeting started.
>>
>>> We'd like to see some form of an Assertion Profile, similar to section
>>> 5.2
>>
>> from draft-hardt-oauth-01.   We have strong customer use-cases for an
>> assertion based flow, specifically SAML bearer tokens, and I >believe
>> Microsoft may have already shipped a minor variation on this ( wrap_SAML )
>> in Azure.
>>
>>
>> Mark McGloin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email