Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item

Brian Campbell <> Mon, 11 August 2014 14:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 634AE1A03F0 for <>; Mon, 11 Aug 2014 07:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RrZaWHg8z9cd for <>; Mon, 11 Aug 2014 07:42:51 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 30F0D1A03F6 for <>; Mon, 11 Aug 2014 07:42:51 -0700 (PDT)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID; Mon, 11 Aug 2014 07:42:51 PDT
Received: by with SMTP id uq10so4355151igb.17 for <>; Mon, 11 Aug 2014 07:42:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=w6+D7inmtKQp1HHiib9mrDdsw0s1S0GWiOTtxlbg8OM=; b=ZaagrbYIgjyD0TpZT9H1NwNDoG0YdtWg1LsCfBSuEhTjVKACVrXefV14JW7Ducy7NL c1mUrrOKIQxUXtQ3rW+tT/ukKOlr7HXGe/Xt7mBy2Dg2vmQQJJI+tx1gVJRc75nVbSJX /p1LdL+l6PWahZb0dNRWsBMFJkGMZpJQvpnpQeJTAoMVGdp5z+RrTlby0FgkWikfIsm6 DEZpdkvHSrN7KicAVgcyDPRgmF1aqdahvjwhuxWrCdEhz+QMAnAtHGMNKAlel8cU1Qip jQ1S44UUvUZedFFxiMjmgQLsYmFahSGIztctPU3/xlUWywPZOqQOP0+Aq0L+5eVyyX9/ clCA==
X-Gm-Message-State: ALoCoQkr847S0xZn9NnZU4kjHc7QDB9j1WWzg0TX7EqiGkjH4Q/hiM0SBGAe43y8PR+RZqVSTSPW2sL0baaWoXBA1tiUSzAtauNF0rbRVvhauhCAEMpDu2+NoU+MWlRY3VHjIDpQF/js
X-Received: by with SMTP id b6mr32697096icl.51.1407768170339; Mon, 11 Aug 2014 07:42:50 -0700 (PDT)
X-Received: by with SMTP id b6mr32697086icl.51.1407768170244; Mon, 11 Aug 2014 07:42:50 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 11 Aug 2014 07:42:20 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
From: Brian Campbell <>
Date: Mon, 11 Aug 2014 08:42:20 -0600
Message-ID: <>
To: Mike Jones <>
Content-Type: multipart/alternative; boundary="485b397dd701b6c39305005b91d3"
Cc: "" <>, "" <>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Aug 2014 14:42:53 -0000

I'd be okay with that as a way forward. Frankly, of course, I'd prefer to
see draft-campbell-oauth-sts as the starting point with Mike and the other
draft-jones-oauth-token-exchange authors added as co-authors. Regardless,
there are elements from both that likely need to end up in the final work
so a consolidation of authors and concepts makes sense.

And yes, there are lots of details that the working group will need to
decide on going forward that we shouldn't get hung up on right now. Though
I believe that deciding if the token endpoint is used for general token
exchange is an important philosophical question that should be answered
first. If the token endpoint is to be used, I strongly belie that this
token exchange should leverage and work within the constructs provided and
defined by OAuth. That's the direction I took with draft-campbell-oauth-sts
and yes that involves overloading the access_token response parameter with
something that's not always strictly an access token. The existing token
endpoint request/response are already rather close to what one might expect
in an STS type exchange. I find there's a nice elegant simplicity to it but
I also see where that discomfort might come from. If there's consensus to
not use/overload the existing stuff, I think it'd be much more appropriate
to define a new endpoint. A lot of syntactic stuff likely falls out from
that decision.