Re: [OAUTH-WG] Comments on draft-richer-oauth-introspection-04

Thomas Broyer <t.broyer@gmail.com> Thu, 24 October 2013 00:36 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A2C11E8264 for <oauth@ietfa.amsl.com>; Wed, 23 Oct 2013 17:36:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.446
X-Spam-Level:
X-Spam-Status: No, score=-2.446 tagged_above=-999 required=5 tests=[AWL=-0.153, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SARE_URI_CONS7=0.306]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNTCyC7U8-NL for <oauth@ietfa.amsl.com>; Wed, 23 Oct 2013 17:36:12 -0700 (PDT)
Received: from mail-vb0-x231.google.com (mail-vb0-x231.google.com [IPv6:2607:f8b0:400c:c02::231]) by ietfa.amsl.com (Postfix) with ESMTP id A1C2411E827C for <oauth@ietf.org>; Wed, 23 Oct 2013 17:36:10 -0700 (PDT)
Received: by mail-vb0-f49.google.com with SMTP id w16so695510vbb.36 for <oauth@ietf.org>; Wed, 23 Oct 2013 17:36:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Ir9E5+SwouiE/7ND3LLiafdI1TIrGQHgPe5GKYQwA7M=; b=ZNwjU5Xb5dqSYZlZ4J5jQwxRomq8rsDPkUjPfdP8ToKOvXSz1gmBGkpz0CZIyte5ME 4U4OmxmMV92GELEnnQRSD1sQ2MZjuPiPLYiEFOYwV80iX8p9LAbaQuPfAp7dq/WcueN3 LK336hvsbLvZEfzr1IcbVrxC0KgrCDMngAftQ94QfQDROlqG4zC67dPwCVYCjuTrHdCB KHChJQGESUwZJF4EpzX94WpYLCmKHc5sWzzrbjQqJmO54w/kTJkcRMm5D/x+vmAxiQGX 4ti25QcxKYXsT1BVFOftY/LwTZa0SFK6tQ4CWDQOXqTdKYiouiIeOrc5Ynhi4jIUXRhT abJQ==
X-Received: by 10.52.116.237 with SMTP id jz13mr16200vdb.74.1382574970158; Wed, 23 Oct 2013 17:36:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.219.132 with HTTP; Wed, 23 Oct 2013 17:35:49 -0700 (PDT)
In-Reply-To: <599199F8-DEE3-45B0-85DA-53DDD17975D7@xmlgrrl.com>
References: <CAEayHENijdeTVu9-OxsnrJEh0JQBrvQo0eKWSjFvXSLqwzVRWg@mail.gmail.com> <599199F8-DEE3-45B0-85DA-53DDD17975D7@xmlgrrl.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Thu, 24 Oct 2013 02:35:49 +0200
Message-ID: <CAEayHEOcBZyYX=H4MHu-XY_1K-HHGCmRRU9=rn3JPKwn-H3FeQ@mail.gmail.com>
To: Eve Maler <eve@xmlgrrl.com>
Content-Type: multipart/alternative; boundary=bcaec5486432f8f5e804e971d143
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Comments on draft-richer-oauth-introspection-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2013 00:36:12 -0000

On Wed, Oct 23, 2013 at 8:37 PM, Eve Maler <eve@xmlgrrl.com> wrote:

> Hi Thomas-- You may want to take a look at UMA, which leverages both OAuth
> and Justin's token introspection draft. Token introspection on its own is a
> "shallow" kind of loose coupling between authorization servers and resource
> servers. If these are operated by different organizations, as appears to be
> the case for you, then "deep" loose coupling may be need to answer
> questions about how the AS and RS onboard and establish trust with each
> other. UMA provides one set of answers for how to do this. You can find
> more info at http://tinyurl.com/umawg.
>

There are interesting concepts in UMA. In our case though, AS, PR and
Clients are all operated by different organizations, but we do have "strong
coupling" between them (a central registry of PRs and Clients). Thanks
anyway.