Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Brian Campbell <bcampbell@pingidentity.com> Wed, 30 July 2014 20:24 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6481A036F for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 13:24:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.579
X-Spam-Level:
X-Spam-Status: No, score=-3.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ts2vaNFSMAhw for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 13:24:49 -0700 (PDT)
Received: from na6sys009bog018.obsmtp.com (na6sys009bog018.obsmtp.com [74.125.150.76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 991681A0326 for <oauth@ietf.org>; Wed, 30 Jul 2014 13:24:48 -0700 (PDT)
Received: from mail-ig0-f171.google.com ([209.85.213.171]) (using TLSv1) by na6sys009bob018.postini.com ([74.125.148.12]) with SMTP ID DSNKU9lUjwlZ/jPfAEKvPP6qecLMPDROUyeM@postini.com; Wed, 30 Jul 2014 13:24:48 PDT
Received: by mail-ig0-f171.google.com with SMTP id l13so8026826iga.16 for <oauth@ietf.org>; Wed, 30 Jul 2014 13:24:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=VlCGUGeVmgnV5vdyqxaFTCTyTwpJT5HoMOuN/YANVx4=; b=ZcQomD8/pFYUWP9WmLc8UKuBo/LgixO+j3GtNzYCXubye91mAStTxZzSm4wl2AsS8z F1gB6xRlgx9xBBrtP56MI3ArnwsZ3pwEQViKJRtR4Zw2itgCujyIxnIKW8SI14nntjpv 34MRCK43EuaKRdQGLQpkd16fC8bUUREGslTPXcI4bFLfB9sdg/2SomysNxiuGOyTxHec QwNmG7jYjSncvYVPwZnrIRiYiiCDTEUNxWT28pN64krBKOvFwYcyLcNWcHTbCCZ0dLjl Vttl5/Ja+cqmwByhoNbLvAPBeE0rYwzk20+M5wxTFUl2AUhiTBDJ/6xGZg/ZO8oJx6ZM Fm5Q==
X-Gm-Message-State: ALoCoQmi9KwtJlXVnIdWxjFP8WBDhesItqMV1x6idVYP+0vWcC8ReFevD4jtJ3J9OFkuo4t/wb1pS77lFXgm4JKpkF2fIs/F7dHmhQtxsjnuWQyC5B5S0SG75uKiZE+8fPDPpP/hL2W1
X-Received: by 10.42.82.6 with SMTP id b6mr8477236icl.51.1406751887566; Wed, 30 Jul 2014 13:24:47 -0700 (PDT)
X-Received: by 10.42.82.6 with SMTP id b6mr8477219icl.51.1406751887423; Wed, 30 Jul 2014 13:24:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Wed, 30 Jul 2014 13:24:17 -0700 (PDT)
In-Reply-To: <861917D8-B9AD-4E82-A216-C58E40CEA468@ve7jtb.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com> <53D841D3.6020505@mit.edu> <311A2204-E968-4657-BD27-58DCD072542A@oracle.com> <53D8A2A0.5040205@gmail.com> <9AF95517-3415-4A3C-A2FB-3BBDFC49E218@ve7jtb.com> <53D8DC2A.6030503@gmail.com> <7189BB03-0962-4B62-A82B-052E70B0A7DF@ve7jtb.com> <53D8DF80.4010301@gmail.com> <9F7C6EC9-065E-4901-B6A3-A00875675439@ve7jtb.com> <0b4a995ea28e40bc87fd4deab0e7dc8b@BLUPR03MB309.namprd03.prod.outlook.com> <861917D8-B9AD-4E82-A216-C58E40CEA468@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 30 Jul 2014 14:24:17 -0600
Message-ID: <CA+k3eCRuCZRBranr3nOi4Np6Yy6nLBmx8cBTZgbd0_S9KOSkEA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/jH6RLnXA0V2z6RVDxmDty9Yxwlc
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 20:24:51 -0000

Will the minutes of the meeting be made available? Those might provide
a little more context to those of us who were unable to attend.

On Wed, Jul 30, 2014 at 10:14 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> Interesting point.  I defer to your greater hum experience:)
>
> On Jul 30, 2014, at 10:32 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>
> John this is for the people that did not hum  at the face to face and not
> just for the people not  at the face to face.
>
> Sent from my Windows Phone
> ________________________________
> From: John Bradley
> Sent: ‎7/‎30/‎2014 7:20 AM
> To: Sergey Beryozkin
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token
> Introspection" as an OAuth Working Group Item
>
> No worries.
>
> Some of the people in the F2F piling on with discussion derailed  Hannes
> original question.
>>  during the IETF #90 OAuth WG meeting, there was strong
>>        consensus in
>>        adopting the "OAuth Token Introspection"
>>        (draft-richer-oauth-introspection-06.txt) specification as an
>>        OAuth WG
>>        work item.
>>
>>        We would now like to verify the outcome of this call for
>>        adoption on the
>>        OAuth WG mailing list. Here is the link to the document:
>>        http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>
>>        If you did not hum at the IETF 90 OAuth WG meeting, and have
>>        an opinion
>>        as to the suitability of adopting this document as a WG work
>>        item,
>>        please send mail to the OAuth WG list indicating your opinion
>>        (Yes/No).
>>
>>        The confirmation call for adoption will last until August 10,
>>        2014.  If
>>        you have issues/edits/comments on the document, please send these
>>        comments along to the list in your response to this Call for
>>        Adoption.
>
> People not in the room commenting and asking questions is expected.   People
> who expressed opinions in the room should avoid double counting by making it
> clear they hummed in the room, as our AD may not know everyone's face and
> name.
>
> I don't know how I became the process monitor.   Normally I am the trouble
> maker.
>
> I believe what passed for consensus in the room was that this ork is in
> scope for the WG and this document can serve as a starting point, but that
> there are things that need to be added.
>
> I think Phil would like a use case document to flesh out peoples
> understanding.  Others who have been working on this longer are hesitant
> that doing a use case document without adopting Justin's document as a
> starting point, will stall the process.
>
> We can however adopt Justin's doc and in parallel add a use case section as
> part of the doc or as a separate doc.
>
> So if you were not in the F2F hum you need to express an opinion on if
> draft-richer-oauth-introspection-06.txt should be adopted by the WG item.
>
> John B.
> (PS I was in the room and hummed in favour of adopting this as a work item)
>
> On Jul 30, 2014, at 8:05 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>
>> Hi John
>> On 30/07/14 14:59, John Bradley wrote:
>>> No,  that those of us who we're fallowing the instructions not to comment
>>> if our hum was recorded in the room, should not hold back given the nature
>>> of the thread has changed.
>>>
>>> It was also an indication to the char that the original intent of the
>>> thread to judge consensus is impacted by some people who previously hummed
>>> piling on the thread.
>>>
>> I think I understand, thanks for the clarifications, though it appears to
>> be more subtle to me that various OAuth2 technical ambiguities :-)
>>> I am more than fine with discussion.  It probably should have been a
>>> different thread though.
>>>
>> Thanks, sorry for the noise anyway
>>
>> Sergey
>>> John B.
>>> Sent from my iPhone
>>>
>>>> On Jul 30, 2014, at 7:51 AM, Sergey Beryozkin <sberyozkin@gmail.com>
>>>> wrote:
>>>>
>>>>> On 30/07/14 14:42, John Bradley wrote:
>>>>> This request for only those not at the F2F to add to the hum has gone a
>>>>> bit off the rails.
>>>> Meaning you see too much feedback, is it bad, even if some of it may be
>>>> off topic ?
>>>>> For those not in the room there was discussion that the draft needed a
>>>>> method to deal with:
>>>>> - Multiple AS
>>>>> - Supporting the PoP specs
>>>>> - stopping clients or other interceptors of the token from
>>>>> introspecting it.
>>>>>
>>>>> Justin stated that his implementation already had a number of those
>>>>> features.
>>>>>
>>>>> I offered to help get those into the spec as part of my support for
>>>>> making this a WG item.
>>>>>
>>>>> Yes if AS and RS are monolithic and there is only one software vendor,
>>>>> then this is not needed.
>>>> Why not ? What is wrong with standardizing an introspection process
>>>> which even RS & AS from the same vendor may want to use as opposed to every
>>>> vendor inventing its own protocol ?
>>>>
>>>> This is why I thought focusing on the RS to 3rd party only diverts from
>>>> the idea which I 'read' in the thread (may be I'm wrong), i.e, standardizing
>>>> on the RS-to-AS communication, which may not have been considered,
>>>>
>>>> Cheers, Sergey
>>>>
>>>>>
>>>>> On the other hand there is evidence that is not the case.
>>>>>
>>>>> John B.
>>>>>
>>>>>
>>>>> Sent from my iPad
>>>>>
>>>>>> On Jul 30, 2014, at 3:45 AM, Sergey Beryozkin <sberyozkin@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> +1.
>>>>>>
>>>>>> I've understood from what Justin said the idea is to introduce a
>>>>>> standard way for RS to communicate to AS about the tokens issued by the AS.
>>>>>> I think it is a good idea, I'd only not focus on the RS-to-3rd party AS
>>>>>> communications because it complicates it a bit.
>>>>>>
>>>>>> Clearly it would be of help to implementers of OAuth2 filters
>>>>>> protecting RS, having a new lengthy process to collect the cases seems to be
>>>>>> a very administrative idea to me
>>>>>>
>>>>>> Thanks, Sergey
>>>>>>
>>>>>>> On 30/07/14 03:54, Phil Hunt wrote:
>>>>>>> -100
>>>>>>>
>>>>>>> Phil
>>>>>>>
>>>>>>> On Jul 29, 2014, at 17:52, Justin Richer <jricher@mit.edu
>>>>>>> <mailto:jricher@mit.edu>> wrote:
>>>>>>>
>>>>>>>> Reading through this thread, it appears very clear to me that the
>>>>>>>> use
>>>>>>>> cases are very well established by a number of existing implementers
>>>>>>>> who want to work together to build a common standard. I see no
>>>>>>>> reason
>>>>>>>> to delay the work artificially by creating a use case document when
>>>>>>>> such a vast array of understanding and interest already exists. Any
>>>>>>>> use cases and explanations of applications are welcome to be added
>>>>>>>> to
>>>>>>>> the working group draft as it progresses.
>>>>>>>>
>>>>>>>> -- Justin
>>>>>>>>
>>>>>>>>
>>>>>>>>> On 7/29/2014 8:16 PM, Mike Jones wrote:
>>>>>>>>>
>>>>>>>>> Did you consider standardizing the access token format within that
>>>>>>>>> deployment so all the parties that needed to could understand it,
>>>>>>>>> rather requiring an extra round trip to an introspection endpoint
>>>>>>>>> so
>>>>>>>>> as to be able to understand things about it?
>>>>>>>>>
>>>>>>>>> I realize that might or might not be practical in some cases, but I
>>>>>>>>> haven’t heard that alternative discussed, so I thought I’d bring it
>>>>>>>>> up.
>>>>>>>>>
>>>>>>>>> I also second Phil’s comment that it would be good to understand
>>>>>>>>> the
>>>>>>>>> use cases that this is intended to solve before embarking on a
>>>>>>>>> particular solution path.
>>>>>>>>>
>>>>>>>>> -- Mike
>>>>>>>>>
>>>>>>>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George
>>>>>>>>> Fletcher
>>>>>>>>> *Sent:* Tuesday, July 29, 2014 3:25 PM
>>>>>>>>> *To:* Phil Hunt; Thomas Broyer
>>>>>>>>> *Cc:* oauth@ietf.org
>>>>>>>>> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
>>>>>>>>> Token Introspection" as an OAuth Working Group Item
>>>>>>>>>
>>>>>>>>> We also have a use case where the AS is provided by a partner and
>>>>>>>>> the
>>>>>>>>> RS is provided by AOL. Being able to have a standardized way of
>>>>>>>>> validating and getting data about the token from the AS would make
>>>>>>>>> our implementation much simpler as we can use the same mechanism
>>>>>>>>> for
>>>>>>>>> all Authorization Servers and not have to implement one off
>>>>>>>>> solutions
>>>>>>>>> for each AS.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> George
>>>>>>>>>
>>>>>>>>> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>>>>>>>>>
>>>>>>>>>    Could we have some discussion on the interop cases?
>>>>>>>>>
>>>>>>>>>    Is it driven by scenarios where AS and resource are separate
>>>>>>>>>    domains? Or may this be only of interest to specific protocols
>>>>>>>>>    like UMA?
>>>>>>>>>
>>>>>>>>>    From a technique principle, the draft is important and sound. I
>>>>>>>>>    am just not there yet on the reasons for an interoperable
>>>>>>>>> standard.
>>>>>>>>>
>>>>>>>>>    Phil
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com
>>>>>>>>>    <mailto:t.broyer@gmail.com>> wrote:
>>>>>>>>>
>>>>>>>>>        Yes. This spec is of special interest to the platform we're
>>>>>>>>>        building for http://www.oasis-eu.org/
>>>>>>>>>
>>>>>>>>>        On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig
>>>>>>>>>        <hannes.tschofenig@gmx.net
>>>>>>>>>        <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>>>>>>>
>>>>>>>>>        Hi all,
>>>>>>>>>
>>>>>>>>>        during the IETF #90 OAuth WG meeting, there was strong
>>>>>>>>>        consensus in
>>>>>>>>>        adopting the "OAuth Token Introspection"
>>>>>>>>>        (draft-richer-oauth-introspection-06.txt) specification as
>>>>>>>>> an
>>>>>>>>>        OAuth WG
>>>>>>>>>        work item.
>>>>>>>>>
>>>>>>>>>        We would now like to verify the outcome of this call for
>>>>>>>>>        adoption on the
>>>>>>>>>        OAuth WG mailing list. Here is the link to the document:
>>>>>>>>>
>>>>>>>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>>>>>>>>
>>>>>>>>>        If you did not hum at the IETF 90 OAuth WG meeting, and have
>>>>>>>>>        an opinion
>>>>>>>>>        as to the suitability of adopting this document as a WG work
>>>>>>>>>        item,
>>>>>>>>>        please send mail to the OAuth WG list indicating your
>>>>>>>>> opinion
>>>>>>>>>        (Yes/No).
>>>>>>>>>
>>>>>>>>>        The confirmation call for adoption will last until August
>>>>>>>>> 10,
>>>>>>>>>        2014.  If
>>>>>>>>>        you have issues/edits/comments on the document, please send
>>>>>>>>> these
>>>>>>>>>        comments along to the list in your response to this Call for
>>>>>>>>>        Adoption.
>>>>>>>>>
>>>>>>>>>        Ciao
>>>>>>>>>        Hannes & Derek
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>        _______________________________________________
>>>>>>>>>        OAuth mailing list
>>>>>>>>>        OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>>        https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>        --
>>>>>>>>>        Thomas Broyer
>>>>>>>>>        /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>>>>>>>>
>>>>>>>>>        _______________________________________________
>>>>>>>>>        OAuth mailing list
>>>>>>>>>        OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>>        https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    _______________________________________________
>>>>>>>>>
>>>>>>>>>    OAuth mailing list
>>>>>>>>>
>>>>>>>>>    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>>>>>
>>>>>>>>>    https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>