Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A2113A6D5A for ; Tue, 28 Sep 2010 10:18:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.547 X-Spam-Level: X-Spam-Status: No, score=-17.547 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RDNS_DOTCOM_HELO=0.001, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDzZdfFtCT3G for ; Tue, 28 Sep 2010 10:17:58 -0700 (PDT) Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by core3.amsl.com (Postfix) with ESMTP id 55DD13A6DFC for ; Tue, 28 Sep 2010 10:17:57 -0700 (PDT) Received: from SP2-EX07CAS03.ds.corp.yahoo.com (sp2-ex07cas03.corp.sp2.yahoo.com [98.137.59.35]) by mrout3.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o8SHIAXK024885; Tue, 28 Sep 2010 10:18:10 -0700 (PDT) Received: from SP2-EX07VS06.ds.corp.yahoo.com ([98.137.59.24]) by SP2-EX07CAS03.ds.corp.yahoo.com ([98.137.59.35]) with mapi; Tue, 28 Sep 2010 10:18:10 -0700 From: William Mills To: David Recordon , OAuth WG Date: Tue, 28 Sep 2010 10:18:02 -0700 Thread-Topic: [OAUTH-WG] Signatures...what are we trying to solve? Thread-Index: Acteyetg8vNwGiDkQk2754xEWV2EKgAZmC4g Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_FFDFD7371D517847AD71FBB08F9A315612C11BC9E5SP2EX07VS06ds_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] Signatures...what are we trying to solve? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2010 17:18:13 -0000 --_000_FFDFD7371D517847AD71FBB08F9A315612C11BC9E5SP2EX07VS06ds_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable * Is there an example of an OAuth 2.0 server that can't use bearer tokens = for protected resource requests and thus requires signatures? The use case I see for signatures that isn't solved (as well) by tokens is = 3 way integrations where it is useful to manage a secret as a way to manag= e the business relationship. I have also seen a lot of cases where the 3rd= party doesn't want to go SSL (I'm not gonna try to justify this, it's jus= t how things have worked that I've seen). From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of D= avid Recordon Sent: Monday, September 27, 2010 9:58 PM To: OAuth WG Subject: [OAUTH-WG] Signatures...what are we trying to solve? If you know me then you'll know that I'm generally one of the last people t= o talk about Alice and Bob. That said, there are a lot of technical proposa= ls flying across the list with very little shared understanding of the prob= lem(s) we're trying to solve. >From what I've seen there are two distinct classes of signature use cases. 1) The first is where the HTTP request parameters must be part of the signa= ture. An example is any OAuth 1.0a style API where you want to make sure th= at the HTTP POST your server just received isn't masquerading itself as a G= ET. 2) The second is where the HTTP request is orthogonal. An example is OpenSo= cial where the server is sending state information to the client such as wh= at user is currently logged in. The main practical example I have of the first use case is what Twitter wan= ts to do with redelegation. In this case TweetDeck can't given TwitPic it's= own bearer token, but needs to sign the POST request and pass that signatu= re to TwitPic for it to include in the final API request to Twitter. In terms of signing protected resource requests, I haven't heard anyone bri= ng up specific and detailed needs for this recently. JSON tokens pretty clearly make sense for the second class of signature use= cases and it's actually a bit hard to argue why they would be a part of OA= uth. Facebook shipped this a bit over a month ago for canvas applications. = We include a `signed_request` parameter which is signature.base64url(JSON).= Parsing it is 18 lines of PHP. http://developers.facebook.com/docs/authent= ication/canvas This second class of use case will also be required by OpenID Connect where= the server is signing identity information and sending it to the client. I= imagine that OpenSocial will also still have it and wish to continue relyi= ng on public key algorithms. So a few questions: * Do we want to tackle both of these classes of signatures in OAuth? * Why do you consider the second class part of OAuth versus something comp= letely separate that might happen to include an OAuth access token? * Is the Twitter redelegation use case the right focus for the first class= ? * Is there an example of an OAuth 2.0 server that can't use bearer tokens = for protected resource requests and thus requires signatures? Thanks, --David --_000_FFDFD7371D517847AD71FBB08F9A315612C11BC9E5SP2EX07VS06ds_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 * Is there an example of an OAuth 2.0 server tha= t can't use bearer tokens for protected resource requests and thus requires signatures?

 

The use case I see for signatures that isn’t solved (a= s well) by tokens is 3 way integrations where  it is useful to manage a secret as a way to manage the business relationship.  I have also seen= a lot of cases where the 3rd party doesn’t want to go SSL &n= bsp;(I’m not gonna try to justify this, it’s just how things have worked that = I’ve seen).

 

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of = David Recordon
Sent: Monday, September 27, 2010 9:58 PM
To: OAuth WG
Subject: [OAUTH-WG] Signatures...what are we trying to solve?

 

If you know me then you'll know that I'm generally one= of the last people to talk about Alice and Bob. That said, there are a lot of technical proposals flying across the list with very little shared understanding of the problem(s) we're trying to solve.

 

From what I've seen there are two distinct classes of signature use cases.

1) The first is where the HTTP request parameters must= be part of the signature. An example is any OAuth 1.0a style API where you wan= t to make sure that the HTTP POST your server just received isn't masquerading itself as a GET.

2) The second is where the HTTP request is orthog= onal. An example is OpenSocial where the server is sending state information= to the client such as what user is currently logged in.

 

The main practical example I have of the first use cas= e is what Twitter wants to do with redelegation. In this case TweetDeck can't gi= ven TwitPic it's own bearer token, but needs to sign the POST request and pass = that signature to TwitPic for it to include in the final API request to Twitter.=

 

In terms of signing protected resource requests, I hav= en't heard anyone bring up specific and detailed needs for this recently.

 

JSON tokens pretty clearly make sense for the second c= lass of signature use cases and it's actually a bit hard to argue why they would= be a part of OAuth. Facebook shipped this a bit over a month ago for canvas applications. We include a `signed_request` parameter which is signature.base64url(JSON). Parsing it is 18 lines of PHP. http://d= evelopers.facebook.com/docs/authentication/canvas

 

This second class of use case will also be required by OpenID Connect where the server is signing identity information and sending= it to the client. I imagine that OpenSocial will also still have it and wish t= o continue relying on public key algorithms.

 

So a few questions:

 * Do we want to tackle both of these classes of signatures in OAuth?

 * Why do you consider the second class part of O= Auth versus something completely separate that might happen to include an OAuth access token?

 * Is the Twitter redelegation use case the right= focus for the first class?

 * Is there an example of an OAuth 2.0 server tha= t can't use bearer tokens for protected resource requests and thus requires signatures?

 

Thanks,

--David

--_000_FFDFD7371D517847AD71FBB08F9A315612C11BC9E5SP2EX07VS06ds_--