Re: [OAUTH-WG] Variant of Web Server Flow w/o direct communication
Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 24 April 2010 07:07 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80C0C3A68E1 for <oauth@core3.amsl.com>; Sat, 24 Apr 2010 00:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.731
X-Spam-Level:
X-Spam-Status: No, score=-0.731 tagged_above=-999 required=5 tests=[AWL=-1.082, BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id woghTMOToJcA for <oauth@core3.amsl.com>; Sat, 24 Apr 2010 00:07:41 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.28]) by core3.amsl.com (Postfix) with ESMTP id 448213A68D4 for <oauth@ietf.org>; Sat, 24 Apr 2010 00:07:40 -0700 (PDT)
Received: from p4fff2b78.dip.t-dialin.net ([79.255.43.120] helo=[127.0.0.1]) by smtprelay03.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O5ZSa-0007M2-DT; Sat, 24 Apr 2010 09:07:28 +0200
Message-ID: <4BD298AC.1030409@lodderstedt.net>
Date: Sat, 24 Apr 2010 09:07:24 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <4BCE071E.5030008@lodderstedt.net> <v2g74caaad21004201319i83a523e2s8d0ae1b829b90506@mail.gmail.com>
In-Reply-To: <v2g74caaad21004201319i83a523e2s8d0ae1b829b90506@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Variant of Web Server Flow w/o direct communication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2010 07:07:42 -0000
Am 20.04.2010 22:19, schrieb Marius Scurtescu: > On Tue, Apr 20, 2010 at 12:57 PM, Torsten Lodderstedt > <torsten@lodderstedt.net> wrote: > >> As a major advantage the authorization server can be stateless with respect >> to authorization transaction data because there is no need to hold such data >> until the client obtains the tokens from the authorization server (callback, >> client, verification code, identity and so on). This simplifies the >> cluster/loadbalancing/fail-over architecture of the authorization server. >> > If making the authz server stateless is the major goal, you can > probably achieve that by encoding and encrypting all relevant data in > the verification code and set a short lifetime on it. Would that work? > This would work if the goal is stateless design only. I would also like to save the second call. Since the protocol prescribes a second request to exchange the verification code into the tokens, libraries will perform this call. > > >> Moreover, the load on the authz server should be reduced and the client >> saves the roundtrip time of the second call. This is even more important if >> clients extensively use the new "immediate" parameter to implement a SSO >> alike behavior and use this flow very often. >> > True, there is a small gain here, but on the other hand you don't have > do deal with crypto. > Assessment of the gain might depend on the point of view. My point of view is the authorization server operator and the expected absolut request volume. I think a client can use OAuth in two ways. (1) The client performs the authorization process, obtains and stores the long-living refresh token. Within a user session, this client retrieves the refresh token from its database, acquires a corresponding access token and access the service. (2) The client does not store the refresh token. Instead in every client session, it initiates the OAuth authorization process again. The Authorization server authenticates the user, probably with SSO experience, and responds with the already existing refresh tokens and a new access token. (1) has the characteristics of a setup process and will probably performed a few times per user over a long period. Let's assume a user base of 10 million users, where every user access 3 application/day. Tokens are valid for 1 year and application setup is uniformly distributed over the year. This ((10 million users * 3 apps) / 365 days) makes roughly 100 thousand authorization requests per day + 30 million refresh token requests. (2) in contrast, this variant has the characteristics of a SSO solution. This would result in 60 million requests per day (10.000.000*2*3), instead. So variant (2) would double the load, which in the first place is a cost driver. My proposal will cut (2) down to 30 million requests. Please correct me if I'm wrong. Yes, you have to deal with crypto in order to implement my proposal. A lot of people seam to have problems with it, but others not. I mean cryptography is the foundation of reliable security. Yes it makes implementing applications harder, but sometimes you cannot circumvent it in order to achieve a protection or other goal (e.g. scalability, fault-tolerance, performance). Kerberos has shown sucessfully how to trade crypto for incredible performance and scalability. My proposal is intended as an variant of the flow, deployments are free to choose. I think most of them will use the simpler approch, but why not offering an option for the rest that is standard compliant, too? Without standard approval, there will no support in libraries, which make implementation even harder :-( regards, Torsten. > Marius >
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Marius Scurtescu
- [OAUTH-WG] Variant of Web Server Flow w/o direct … Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt