Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Thomas Broyer <t.broyer@gmail.com> Wed, 30 July 2014 00:42 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 217721A0298 for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 17:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYNfWQmOxGux for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 17:42:45 -0700 (PDT)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E88461B28F7 for <oauth@ietf.org>; Tue, 29 Jul 2014 17:42:44 -0700 (PDT)
Received: by mail-la0-f42.google.com with SMTP id pv20so335894lab.1 for <oauth@ietf.org>; Tue, 29 Jul 2014 17:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uU8C3yf1BZuv6FEMuqCQEOSZu5EYAUbrYDcF9lLVQQ0=; b=PRsw55utgT8GzIxKU9MrhbiRgiidnGENa8vaZ8lb/WPpe6WuEmR0F3zejn8fwYf//W MemW8BGIZ9H8eURMsZhfofpTzyq+Twh3cspPifV/3YLIcS7S1NWNzHhB+xYB7ViWP5hg VofNOeSB2NPmvdm4Dfn+8oGOGgj7YWf/YKg/yuktzX7zw3zvLVQmG1GsGV1L2MUIn9x1 AF+Mb9DquIIL3ticcPusGF3gdBh5+AgETjFHau0mYUEdieGegMTXF6tjcPJJ7idzqQXw 0MgTpXWOEK1w4iMai3uUbsOq3+uq+iVF/KYafTlCenCNBV6L3pwG7KEwGESSRtx8jq2W HAXg==
MIME-Version: 1.0
X-Received: by 10.152.204.5 with SMTP id ku5mr529420lac.68.1406680963047; Tue, 29 Jul 2014 17:42:43 -0700 (PDT)
Received: by 10.152.113.73 with HTTP; Tue, 29 Jul 2014 17:42:42 -0700 (PDT)
Received: by 10.152.113.73 with HTTP; Tue, 29 Jul 2014 17:42:42 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com>
Date: Wed, 30 Jul 2014 02:42:42 +0200
Message-ID: <CAEayHEPdHyfLGzdb=Go=0L1+K4WEju+9zddekR2YQz=cqtZzeA@mail.gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a113451701d669604ff5e6ff1"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/ircUY7w1EXxq1Jp3Aa4O_RwDX68
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 00:42:48 -0000

Decoding a token with a specific format wouldn't tell you whether the token
is still live: it could have been revoked before its expiration.
Le 30 juil. 2014 02:16, "Mike Jones" <Michael.Jones@microsoft.com> a écrit :

>  Did you consider standardizing the access token format within that
> deployment so all the parties that needed to could understand it, rather
> requiring an extra round trip to an introspection endpoint so as to be able
> to understand things about it?
>
>
>
> I realize that might or might not be practical in some cases, but I
> haven’t heard that alternative discussed, so I thought I’d bring it up.
>
>
>
> I also second Phil’s comment that it would be good to understand the use
> cases that this is intended to solve before embarking on a particular
> solution path.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George
> Fletcher
> *Sent:* Tuesday, July 29, 2014 3:25 PM
> *To:* Phil Hunt; Thomas Broyer
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token
> Introspection" as an OAuth Working Group Item
>
>
>
> We also have a use case where the AS is provided by a partner and the RS
> is provided by AOL. Being able to have a standardized way of validating and
> getting data about the token from the AS would make our implementation much
> simpler as we can use the same mechanism for all Authorization Servers and
> not have to implement one off solutions for each AS.
>
> Thanks,
> George
>
> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>
>  Could we have some discussion on the interop cases?
>
>
>
> Is it driven by scenarios where AS and resource are separate domains? Or
> may this be only of interest to specific protocols like UMA?
>
>
>
> From a technique principle, the draft is important and sound. I am just
> not there yet on the reasons for an interoperable standard.
>
>
>
> Phil
>
>
> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
>
>  Yes. This spec is of special interest to the platform we're building for
> http://www.oasis-eu.org/
>
>
>
> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
> Hi all,
>
> during the IETF #90 OAuth WG meeting, there was strong consensus in
> adopting the "OAuth Token Introspection"
> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
> work item.
>
> We would now like to verify the outcome of this call for adoption on the
> OAuth WG mailing list. Here is the link to the document:
> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>
> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
> as to the suitability of adopting this document as a WG work item,
> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>
> The confirmation call for adoption will last until August 10, 2014.  If
> you have issues/edits/comments on the document, please send these
> comments along to the list in your response to this Call for Adoption.
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> --
> Thomas Broyer
> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>
>  _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>  _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>