Re: [OAUTH-WG] Please help me understand OAuth 2.0
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 23 July 2014 20:01 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794051A01D9 for <oauth@ietfa.amsl.com>; Wed, 23 Jul 2014 13:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0r0B9SSDl9g for <oauth@ietfa.amsl.com>; Wed, 23 Jul 2014 13:01:24 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9410C1A03BB for <oauth@ietf.org>; Wed, 23 Jul 2014 13:01:21 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id ho1so8434744wib.14 for <oauth@ietf.org>; Wed, 23 Jul 2014 13:01:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=V50VUAZLU6KIdjB5Px5xghB9YwvH3mMehpwmpn7M67w=; b=Km99NtL19XpZVYJXR9Fcux+A7Ewz/zU+NCAnEoddewAnW78ZSo3IIP8DtKo83phx8v 6ouyy7tnnN0bN/cDWEyKQQRtQ3AKJ4SII0EPvNUuzall171z0B93Swq6dY8S/pnz3FyX VhEwUnebaROPyhnZE4BTE8QJTaEzF+wxv0dkW0OjrHZWpZ10DKhKmlWKFee8KT4/BdUS zmHXXUg2Gd+kjglOc4FZEuLL/9A3FFZe6Glfjz2hOlmoKQAke45OOvAsNDEGayYvYsPB R2gBMBRbZP7GgBNSGjxI7B8JP8H4SfduCBD3Q26uxk8rykr6cF8xvnElSbBjBVjKLx5H L7Vw==
X-Received: by 10.194.20.230 with SMTP id q6mr5136114wje.43.1406145680081; Wed, 23 Jul 2014 13:01:20 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id 20sm8951688wjt.42.2014.07.23.13.01.18 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 23 Jul 2014 13:01:19 -0700 (PDT)
Message-ID: <53D0148B.4090206@gmail.com>
Date: Wed, 23 Jul 2014 23:01:15 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAH59oZdY6svF3dZZwXJnJJycpF-jwSe_u-1Z3dchh6YB1pLq1A@mail.gmail.com> <00e001cfa69b$8f7b7c10$ae727430$@viewds.com>
In-Reply-To: <00e001cfa69b$8f7b7c10$ae727430$@viewds.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/jKp-7bQ1Vf1H1VRq03yTW6lwIg8
Subject: Re: [OAUTH-WG] Please help me understand OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 20:01:26 -0000
Hi, On 23/07/14 20:28, Gil Kirkpatrick wrote: > The RFCs 6749 and 6750 are a good place to start. > http://tools.ietf.org/html/rfc6749 and http://tools.ietf.org/html/rfc6750. > > The first thing to understand is that OAuth2 targets a very specific use > case of a user authorizing an application (like Twitter) access to > resources they own (like photos) through a resource server (like > Facebook). It’s more an authN/authZ framework than a complete system, > and doesn’t directly address the traditional enterprise use cases. Once > you get your head around that, the rest is pretty straightforward. IMHO OAuth2 is becoming much bigger... Take the client credentials grant. People are using it today in the traditional scenarios, because OAuth2 tokens have good security properties. Cheers, Sergey > Because it’s lightweight and thin, OAuth2 can be used in lots of > authN/authZ scenarios, for instance OpenID Connect > http://openid.net/connect/ and UMA > http://docs.kantarainitiative.org/uma/draft-uma-core.html. > > You’d be best off clearing your mind of SAML concepts and reading the > RFCs, but to answer your questions: > > 1.Not really. Access tokens represent a user-granted authorization for a > specific application to access a specific resource scope. The semantics > of a scopes are left to the developer, but you can think of a scope as a > representation of what access(es) are allowed to what resource(s). There > is no user identity information necessarily conveyed in the access > token… that is what OpenID Connect is for. OpenID Connect maps pretty > closely to SAML. > > 2.Sort of. When the resource owner grants access, the AS issues an > authorization grant code. The client then presents the grant code to the > AS for an access token. The client includes the access token with each > resource request, and the resource server uses the scope in the token to > determine if access should be granted or not. > > 3.The role of the PDP is split between the AS and the RS. The AS > provides a token representing the user’s consent to access of a > particular scope, and the RS interprets the scope to grant access. The > scope _/could/_ just be a Boolean value indicating that access is > allowed or not, in which case the AS would be a PDP, but in practice the > scope encodes a set of permissions that the RS interprets in the context > of the specific resource request. > > HTH, > > -gil > > *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Richard Snowden > *Sent:* Wednesday, 23 July 2014 2:57 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] Please help me understand OAuth 2.0 > > I am pretty familiar with the WS-* and SOAP Web Services world. At the > moment I'm trying to understand which features are available in the > OAuth 2.0 world. > > 1) SAML tokens: This access token in OAuth 2.0 - is it similar to what > SAML tokens are for? > > 2) STS: Is an OAuth 2.0 Authorization Server the equivalent to a STS? > > 3) PDP (Policy Decision Point): Is this also handled by the OAuth 2.0 > Authorization Server? Or does the Resource Server, based on the access > token, have to make the decision whether or not grant access to a resource? > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Please help me understand OAuth 2.0 Richard Snowden
- Re: [OAUTH-WG] Please help me understand OAuth 2.0 Gil Kirkpatrick
- Re: [OAUTH-WG] Please help me understand OAuth 2.0 Mike Jones
- Re: [OAUTH-WG] Please help me understand OAuth 2.0 Sergey Beryozkin
- Re: [OAUTH-WG] Please help me understand OAuth 2.0 Gil Kirkpatrick