Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
Brian Campbell <bcampbell@pingidentity.com> Mon, 11 August 2014 14:42 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 634AE1A03F0 for <oauth@ietfa.amsl.com>; Mon, 11 Aug 2014 07:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrZaWHg8z9cd for <oauth@ietfa.amsl.com>; Mon, 11 Aug 2014 07:42:51 -0700 (PDT)
Received: from na3sys009aog107.obsmtp.com (na3sys009aog107.obsmtp.com [74.125.149.197]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30F0D1A03F6 for <oauth@ietf.org>; Mon, 11 Aug 2014 07:42:51 -0700 (PDT)
Received: from mail-ig0-f178.google.com ([209.85.213.178]) (using TLSv1) by na3sys009aob107.postini.com ([74.125.148.12]) with SMTP ID DSNKU+jWattohwnAhhZLIMsJqA2Vw87PLNXS@postini.com; Mon, 11 Aug 2014 07:42:51 PDT
Received: by mail-ig0-f178.google.com with SMTP id uq10so4355151igb.17 for <oauth@ietf.org>; Mon, 11 Aug 2014 07:42:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=w6+D7inmtKQp1HHiib9mrDdsw0s1S0GWiOTtxlbg8OM=; b=ZaagrbYIgjyD0TpZT9H1NwNDoG0YdtWg1LsCfBSuEhTjVKACVrXefV14JW7Ducy7NL c1mUrrOKIQxUXtQ3rW+tT/ukKOlr7HXGe/Xt7mBy2Dg2vmQQJJI+tx1gVJRc75nVbSJX /p1LdL+l6PWahZb0dNRWsBMFJkGMZpJQvpnpQeJTAoMVGdp5z+RrTlby0FgkWikfIsm6 DEZpdkvHSrN7KicAVgcyDPRgmF1aqdahvjwhuxWrCdEhz+QMAnAtHGMNKAlel8cU1Qip jQ1S44UUvUZedFFxiMjmgQLsYmFahSGIztctPU3/xlUWywPZOqQOP0+Aq0L+5eVyyX9/ clCA==
X-Gm-Message-State: ALoCoQkr847S0xZn9NnZU4kjHc7QDB9j1WWzg0TX7EqiGkjH4Q/hiM0SBGAe43y8PR+RZqVSTSPW2sL0baaWoXBA1tiUSzAtauNF0rbRVvhauhCAEMpDu2+NoU+MWlRY3VHjIDpQF/js
X-Received: by 10.42.82.6 with SMTP id b6mr32697096icl.51.1407768170339; Mon, 11 Aug 2014 07:42:50 -0700 (PDT)
X-Received: by 10.42.82.6 with SMTP id b6mr32697086icl.51.1407768170244; Mon, 11 Aug 2014 07:42:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.150.162 with HTTP; Mon, 11 Aug 2014 07:42:20 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439AE0D742@TK5EX14MBXC293.redmond.corp.microsoft.com>
References: <53D6896E.1030701@gmx.net> <CA+k3eCTJMAGGwt1xhOKuVrEJpQqUhTjXzUM6gx8f_XgHdXzH_A@mail.gmail.com> <42B66A8B-0F84-4AFC-A29A-2CD043ADFF76@ve7jtb.com> <CA+k3eCRNCvLof9wiNoJ28YAA-z1-xGbwHMOodFt8xqkE5GAU9w@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AE0D742@TK5EX14MBXC293.redmond.corp.microsoft.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 11 Aug 2014 08:42:20 -0600
Message-ID: <CA+k3eCSWx1mr-PajhRxvtAYUcuPS+uk5DZkHF8i7RtCWkQW6Zg@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="485b397dd701b6c39305005b91d3"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/j37veqNUiuIq-i2UKzLBn8imIok
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 14:42:53 -0000
I'd be okay with that as a way forward. Frankly, of course, I'd prefer to see draft-campbell-oauth-sts as the starting point with Mike and the other draft-jones-oauth-token-exchange authors added as co-authors. Regardless, there are elements from both that likely need to end up in the final work so a consolidation of authors and concepts makes sense. And yes, there are lots of details that the working group will need to decide on going forward that we shouldn't get hung up on right now. Though I believe that deciding if the token endpoint is used for general token exchange is an important philosophical question that should be answered first. If the token endpoint is to be used, I strongly belie that this token exchange should leverage and work within the constructs provided and defined by OAuth. That's the direction I took with draft-campbell-oauth-sts and yes that involves overloading the access_token response parameter with something that's not always strictly an access token. The existing token endpoint request/response are already rather close to what one might expect in an STS type exchange. I find there's a nice elegant simplicity to it but I also see where that discomfort might come from. If there's consensus to not use/overload the existing stuff, I think it'd be much more appropriate to define a new endpoint. A lot of syntactic stuff likely falls out from that decision.
- [OAUTH-WG] Confirmation: Call for Adoption of "OA… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin