Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
Brian Campbell <bcampbell@pingidentity.com> Wed, 30 July 2014 20:24 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6481A036F for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 13:24:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.579
X-Spam-Level:
X-Spam-Status: No, score=-3.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ts2vaNFSMAhw for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 13:24:49 -0700 (PDT)
Received: from na6sys009bog018.obsmtp.com (na6sys009bog018.obsmtp.com [74.125.150.76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 991681A0326 for <oauth@ietf.org>; Wed, 30 Jul 2014 13:24:48 -0700 (PDT)
Received: from mail-ig0-f171.google.com ([209.85.213.171]) (using TLSv1) by na6sys009bob018.postini.com ([74.125.148.12]) with SMTP ID DSNKU9lUjwlZ/jPfAEKvPP6qecLMPDROUyeM@postini.com; Wed, 30 Jul 2014 13:24:48 PDT
Received: by mail-ig0-f171.google.com with SMTP id l13so8026826iga.16 for <oauth@ietf.org>; Wed, 30 Jul 2014 13:24:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=VlCGUGeVmgnV5vdyqxaFTCTyTwpJT5HoMOuN/YANVx4=; b=ZcQomD8/pFYUWP9WmLc8UKuBo/LgixO+j3GtNzYCXubye91mAStTxZzSm4wl2AsS8z F1gB6xRlgx9xBBrtP56MI3ArnwsZ3pwEQViKJRtR4Zw2itgCujyIxnIKW8SI14nntjpv 34MRCK43EuaKRdQGLQpkd16fC8bUUREGslTPXcI4bFLfB9sdg/2SomysNxiuGOyTxHec QwNmG7jYjSncvYVPwZnrIRiYiiCDTEUNxWT28pN64krBKOvFwYcyLcNWcHTbCCZ0dLjl Vttl5/Ja+cqmwByhoNbLvAPBeE0rYwzk20+M5wxTFUl2AUhiTBDJ/6xGZg/ZO8oJx6ZM Fm5Q==
X-Gm-Message-State: ALoCoQmi9KwtJlXVnIdWxjFP8WBDhesItqMV1x6idVYP+0vWcC8ReFevD4jtJ3J9OFkuo4t/wb1pS77lFXgm4JKpkF2fIs/F7dHmhQtxsjnuWQyC5B5S0SG75uKiZE+8fPDPpP/hL2W1
X-Received: by 10.42.82.6 with SMTP id b6mr8477236icl.51.1406751887566; Wed, 30 Jul 2014 13:24:47 -0700 (PDT)
X-Received: by 10.42.82.6 with SMTP id b6mr8477219icl.51.1406751887423; Wed, 30 Jul 2014 13:24:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Wed, 30 Jul 2014 13:24:17 -0700 (PDT)
In-Reply-To: <861917D8-B9AD-4E82-A216-C58E40CEA468@ve7jtb.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com> <53D841D3.6020505@mit.edu> <311A2204-E968-4657-BD27-58DCD072542A@oracle.com> <53D8A2A0.5040205@gmail.com> <9AF95517-3415-4A3C-A2FB-3BBDFC49E218@ve7jtb.com> <53D8DC2A.6030503@gmail.com> <7189BB03-0962-4B62-A82B-052E70B0A7DF@ve7jtb.com> <53D8DF80.4010301@gmail.com> <9F7C6EC9-065E-4901-B6A3-A00875675439@ve7jtb.com> <0b4a995ea28e40bc87fd4deab0e7dc8b@BLUPR03MB309.namprd03.prod.outlook.com> <861917D8-B9AD-4E82-A216-C58E40CEA468@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 30 Jul 2014 14:24:17 -0600
Message-ID: <CA+k3eCRuCZRBranr3nOi4Np6Yy6nLBmx8cBTZgbd0_S9KOSkEA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/jH6RLnXA0V2z6RVDxmDty9Yxwlc
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 20:24:51 -0000
Will the minutes of the meeting be made available? Those might provide a little more context to those of us who were unable to attend. On Wed, Jul 30, 2014 at 10:14 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Interesting point. I defer to your greater hum experience:) > > On Jul 30, 2014, at 10:32 AM, Anthony Nadalin <tonynad@microsoft.com> wrote: > > John this is for the people that did not hum at the face to face and not > just for the people not at the face to face. > > Sent from my Windows Phone > ________________________________ > From: John Bradley > Sent: 7/30/2014 7:20 AM > To: Sergey Beryozkin > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token > Introspection" as an OAuth Working Group Item > > No worries. > > Some of the people in the F2F piling on with discussion derailed Hannes > original question. >> during the IETF #90 OAuth WG meeting, there was strong >> consensus in >> adopting the "OAuth Token Introspection" >> (draft-richer-oauth-introspection-06.txt) specification as an >> OAuth WG >> work item. >> >> We would now like to verify the outcome of this call for >> adoption on the >> OAuth WG mailing list. Here is the link to the document: >> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/ >> >> If you did not hum at the IETF 90 OAuth WG meeting, and have >> an opinion >> as to the suitability of adopting this document as a WG work >> item, >> please send mail to the OAuth WG list indicating your opinion >> (Yes/No). >> >> The confirmation call for adoption will last until August 10, >> 2014. If >> you have issues/edits/comments on the document, please send these >> comments along to the list in your response to this Call for >> Adoption. > > People not in the room commenting and asking questions is expected. People > who expressed opinions in the room should avoid double counting by making it > clear they hummed in the room, as our AD may not know everyone's face and > name. > > I don't know how I became the process monitor. Normally I am the trouble > maker. > > I believe what passed for consensus in the room was that this ork is in > scope for the WG and this document can serve as a starting point, but that > there are things that need to be added. > > I think Phil would like a use case document to flesh out peoples > understanding. Others who have been working on this longer are hesitant > that doing a use case document without adopting Justin's document as a > starting point, will stall the process. > > We can however adopt Justin's doc and in parallel add a use case section as > part of the doc or as a separate doc. > > So if you were not in the F2F hum you need to express an opinion on if > draft-richer-oauth-introspection-06.txt should be adopted by the WG item. > > John B. > (PS I was in the room and hummed in favour of adopting this as a work item) > > On Jul 30, 2014, at 8:05 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > >> Hi John >> On 30/07/14 14:59, John Bradley wrote: >>> No, that those of us who we're fallowing the instructions not to comment >>> if our hum was recorded in the room, should not hold back given the nature >>> of the thread has changed. >>> >>> It was also an indication to the char that the original intent of the >>> thread to judge consensus is impacted by some people who previously hummed >>> piling on the thread. >>> >> I think I understand, thanks for the clarifications, though it appears to >> be more subtle to me that various OAuth2 technical ambiguities :-) >>> I am more than fine with discussion. It probably should have been a >>> different thread though. >>> >> Thanks, sorry for the noise anyway >> >> Sergey >>> John B. >>> Sent from my iPhone >>> >>>> On Jul 30, 2014, at 7:51 AM, Sergey Beryozkin <sberyozkin@gmail.com> >>>> wrote: >>>> >>>>> On 30/07/14 14:42, John Bradley wrote: >>>>> This request for only those not at the F2F to add to the hum has gone a >>>>> bit off the rails. >>>> Meaning you see too much feedback, is it bad, even if some of it may be >>>> off topic ? >>>>> For those not in the room there was discussion that the draft needed a >>>>> method to deal with: >>>>> - Multiple AS >>>>> - Supporting the PoP specs >>>>> - stopping clients or other interceptors of the token from >>>>> introspecting it. >>>>> >>>>> Justin stated that his implementation already had a number of those >>>>> features. >>>>> >>>>> I offered to help get those into the spec as part of my support for >>>>> making this a WG item. >>>>> >>>>> Yes if AS and RS are monolithic and there is only one software vendor, >>>>> then this is not needed. >>>> Why not ? What is wrong with standardizing an introspection process >>>> which even RS & AS from the same vendor may want to use as opposed to every >>>> vendor inventing its own protocol ? >>>> >>>> This is why I thought focusing on the RS to 3rd party only diverts from >>>> the idea which I 'read' in the thread (may be I'm wrong), i.e, standardizing >>>> on the RS-to-AS communication, which may not have been considered, >>>> >>>> Cheers, Sergey >>>> >>>>> >>>>> On the other hand there is evidence that is not the case. >>>>> >>>>> John B. >>>>> >>>>> >>>>> Sent from my iPad >>>>> >>>>>> On Jul 30, 2014, at 3:45 AM, Sergey Beryozkin <sberyozkin@gmail.com> >>>>>> wrote: >>>>>> >>>>>> +1. >>>>>> >>>>>> I've understood from what Justin said the idea is to introduce a >>>>>> standard way for RS to communicate to AS about the tokens issued by the AS. >>>>>> I think it is a good idea, I'd only not focus on the RS-to-3rd party AS >>>>>> communications because it complicates it a bit. >>>>>> >>>>>> Clearly it would be of help to implementers of OAuth2 filters >>>>>> protecting RS, having a new lengthy process to collect the cases seems to be >>>>>> a very administrative idea to me >>>>>> >>>>>> Thanks, Sergey >>>>>> >>>>>>> On 30/07/14 03:54, Phil Hunt wrote: >>>>>>> -100 >>>>>>> >>>>>>> Phil >>>>>>> >>>>>>> On Jul 29, 2014, at 17:52, Justin Richer <jricher@mit.edu >>>>>>> <mailto:jricher@mit.edu>> wrote: >>>>>>> >>>>>>>> Reading through this thread, it appears very clear to me that the >>>>>>>> use >>>>>>>> cases are very well established by a number of existing implementers >>>>>>>> who want to work together to build a common standard. I see no >>>>>>>> reason >>>>>>>> to delay the work artificially by creating a use case document when >>>>>>>> such a vast array of understanding and interest already exists. Any >>>>>>>> use cases and explanations of applications are welcome to be added >>>>>>>> to >>>>>>>> the working group draft as it progresses. >>>>>>>> >>>>>>>> -- Justin >>>>>>>> >>>>>>>> >>>>>>>>> On 7/29/2014 8:16 PM, Mike Jones wrote: >>>>>>>>> >>>>>>>>> Did you consider standardizing the access token format within that >>>>>>>>> deployment so all the parties that needed to could understand it, >>>>>>>>> rather requiring an extra round trip to an introspection endpoint >>>>>>>>> so >>>>>>>>> as to be able to understand things about it? >>>>>>>>> >>>>>>>>> I realize that might or might not be practical in some cases, but I >>>>>>>>> haven’t heard that alternative discussed, so I thought I’d bring it >>>>>>>>> up. >>>>>>>>> >>>>>>>>> I also second Phil’s comment that it would be good to understand >>>>>>>>> the >>>>>>>>> use cases that this is intended to solve before embarking on a >>>>>>>>> particular solution path. >>>>>>>>> >>>>>>>>> -- Mike >>>>>>>>> >>>>>>>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George >>>>>>>>> Fletcher >>>>>>>>> *Sent:* Tuesday, July 29, 2014 3:25 PM >>>>>>>>> *To:* Phil Hunt; Thomas Broyer >>>>>>>>> *Cc:* oauth@ietf.org >>>>>>>>> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth >>>>>>>>> Token Introspection" as an OAuth Working Group Item >>>>>>>>> >>>>>>>>> We also have a use case where the AS is provided by a partner and >>>>>>>>> the >>>>>>>>> RS is provided by AOL. Being able to have a standardized way of >>>>>>>>> validating and getting data about the token from the AS would make >>>>>>>>> our implementation much simpler as we can use the same mechanism >>>>>>>>> for >>>>>>>>> all Authorization Servers and not have to implement one off >>>>>>>>> solutions >>>>>>>>> for each AS. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> George >>>>>>>>> >>>>>>>>> On 7/28/14, 8:11 PM, Phil Hunt wrote: >>>>>>>>> >>>>>>>>> Could we have some discussion on the interop cases? >>>>>>>>> >>>>>>>>> Is it driven by scenarios where AS and resource are separate >>>>>>>>> domains? Or may this be only of interest to specific protocols >>>>>>>>> like UMA? >>>>>>>>> >>>>>>>>> From a technique principle, the draft is important and sound. I >>>>>>>>> am just not there yet on the reasons for an interoperable >>>>>>>>> standard. >>>>>>>>> >>>>>>>>> Phil >>>>>>>>> >>>>>>>>> >>>>>>>>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com >>>>>>>>> <mailto:t.broyer@gmail.com>> wrote: >>>>>>>>> >>>>>>>>> Yes. This spec is of special interest to the platform we're >>>>>>>>> building for http://www.oasis-eu.org/ >>>>>>>>> >>>>>>>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig >>>>>>>>> <hannes.tschofenig@gmx.net >>>>>>>>> <mailto:hannes.tschofenig@gmx.net>> wrote: >>>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> during the IETF #90 OAuth WG meeting, there was strong >>>>>>>>> consensus in >>>>>>>>> adopting the "OAuth Token Introspection" >>>>>>>>> (draft-richer-oauth-introspection-06.txt) specification as >>>>>>>>> an >>>>>>>>> OAuth WG >>>>>>>>> work item. >>>>>>>>> >>>>>>>>> We would now like to verify the outcome of this call for >>>>>>>>> adoption on the >>>>>>>>> OAuth WG mailing list. Here is the link to the document: >>>>>>>>> >>>>>>>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/ >>>>>>>>> >>>>>>>>> If you did not hum at the IETF 90 OAuth WG meeting, and have >>>>>>>>> an opinion >>>>>>>>> as to the suitability of adopting this document as a WG work >>>>>>>>> item, >>>>>>>>> please send mail to the OAuth WG list indicating your >>>>>>>>> opinion >>>>>>>>> (Yes/No). >>>>>>>>> >>>>>>>>> The confirmation call for adoption will last until August >>>>>>>>> 10, >>>>>>>>> 2014. If >>>>>>>>> you have issues/edits/comments on the document, please send >>>>>>>>> these >>>>>>>>> comments along to the list in your response to this Call for >>>>>>>>> Adoption. >>>>>>>>> >>>>>>>>> Ciao >>>>>>>>> Hannes & Derek >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> OAuth mailing list >>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thomas Broyer >>>>>>>>> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> OAuth mailing list >>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> >>>>>>>>> OAuth mailing list >>>>>>>>> >>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>>>> >>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> OAuth mailing list >>>>>>>>> OAuth@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Confirmation: Call for Adoption of "OA… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mark Dobrinic
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Paul Madsen
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell