IETF Logo Mail Archive

[OAUTH-WG] more than one assertion?

Brian Campbell <bcampbell@pingidentity.com> Mon, 09 August 2010 19:33 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 351153A69C0 for <oauth@core3.amsl.com>; Mon, 9 Aug 2010 12:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.752
X-Spam-Level:
X-Spam-Status: No, score=-4.752 tagged_above=-999 required=5 tests=[AWL=-0.998, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, HTTP_ESCAPED_HOST=0.134, J_CHICKENPOX_93=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhpu7YlwGXdL for <oauth@core3.amsl.com>; Mon, 9 Aug 2010 12:33:48 -0700 (PDT)
Received: from na3sys009aog102.obsmtp.com (na3sys009aog102.obsmtp.com [74.125.149.69]) by core3.amsl.com (Postfix) with SMTP id 792E53A6B21 for <oauth@ietf.org>; Mon, 9 Aug 2010 12:33:48 -0700 (PDT)
Received: from source ([209.85.210.52]) by na3sys009aob102.postini.com ([74.125.148.12]) with SMTP ID DSNKTGBYPnJjRSb1xM6q8qwq8KPLmRxwOg3Y@postini.com; Mon, 09 Aug 2010 12:34:23 PDT
Received: by pzk27 with SMTP id 27so6166944pzk.11 for <oauth@ietf.org>; Mon, 09 Aug 2010 12:34:22 -0700 (PDT)
Received: by 10.114.132.18 with SMTP id f18mr19080037wad.97.1281382461385; Mon, 09 Aug 2010 12:34:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.152.16 with HTTP; Mon, 9 Aug 2010 12:33:51 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 09 Aug 2010 13:33:51 -0600
Message-ID: <AANLkTinkTA4uSvUB64u2cdnzmYpxjfTTn43PuB9aMo6M@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] more than one assertion?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2010 19:33:50 -0000

The question of allowing for multiple assertions in the SAML profile
came up recently.  See
http://www.ietf.org/mail-archive/web/oauth/current/msg04068.html and
several subsequent messages in the thread.

I pushed back on the idea at first due to added complexity.  There are
a number of things that need to be addressed that aren't present in
the single assertion case.   One of the sticker ones, to me, was how
to encode the assertions into the request.   A SAML <Response> element
is a nice container for multiple assertions but using it in this
context seemed awkward at best.  A new schema could be defined or a
special deliminator character could be used but that seems excessive
and kludgy respectively.

What about pushing it up into the HTTP layer and allowing for multiple
occurrences of the assertion=XXX parameter in the POST body?  I don't
see anything in core OAuth that would necessarily preclude doing this.
 It seems cleaner and more lightweight than some of the other options.
 And perhaps it could be a more general (not just SAML) method of
sending multiple assertions in a single assertion grant type request?

It'd look something like this:

  POST /token.oauth2 HTTP/1.1
  Host: authz.example.net
  Content-Type: application/x-www-form-urlencoded

   grant_type=assertion&assertion_type=http%3A%2F%2Foauth.net%2Fasse
   rtion_type%2Fsaml%2F2.0%2Fbearer&assertion=[...1st assertion...]&assertion=
   [...2nd assertion...]&assertion=[...3nd assertion...]

v2.31.3 | Report a Bug | By Email | System Status