Re: [OAUTH-WG] Indicating sites where a token is valid
"Richer, Justin P." <jricher@mitre.org> Mon, 10 May 2010 12:20 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7059828C1BB for <oauth@core3.amsl.com>; Mon, 10 May 2010 05:20:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.665
X-Spam-Level:
X-Spam-Status: No, score=-4.665 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_05=-1.11, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRfeW+Y0-g62 for <oauth@core3.amsl.com>; Mon, 10 May 2010 05:20:18 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id ADFDF28C1A7 for <oauth@ietf.org>; Mon, 10 May 2010 05:19:04 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o4ACIq5w006131 for <oauth@ietf.org>; Mon, 10 May 2010 08:18:52 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o4ACIqd9006128; Mon, 10 May 2010 08:18:52 -0400
Received: from IMCMBX3.MITRE.ORG ([129.83.29.206]) by imchub2.MITRE.ORG ([129.83.29.74]) with mapi; Mon, 10 May 2010 08:18:52 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>, David Recordon <recordond@gmail.com>, Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 10 May 2010 08:18:33 -0400
Thread-Topic: [OAUTH-WG] Indicating sites where a token is valid
Thread-Index: AcruEAUKwnx3j4csRMOC6KIWXd2OkQBroXOAAB8Xdtw=
Message-ID: <D24C564ACEAD16459EF2526E1D7D605D0C8D22ED62@IMCMBX3.MITRE.ORG>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B24FC@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net> <BC9EED4C-B667-4AC2-A663-CEAC0B7CB620@lodderstedt.net> <AANLkTincZ8_0-t2r_Ey9BestA_knMciYsxRLyHcOvSVO@mail.gmail.com> <g2xfd6741651005071106if93ba794q7e9739669eb22fc2@mail.gmail.com>, <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1F@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_D24C564ACEAD16459EF2526E1D7D605D0C8D22ED62IMCMBX3MITREO_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 12:20:19 -0000
+1 Any information that the client needs to care about should live outside the token. -- Justin ________________________________ From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav [eran@hueniverse.com] Sent: Sunday, May 09, 2010 5:29 PM To: David Recordon; Marius Scurtescu Cc: OAuth WG Subject: Re: [OAUTH-WG] Indicating sites where a token is valid The idea of embedding this information into the token is wrong. This is clearly token metadata and that information belongs alongside the token, just like ‘expires_in’. EHL From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of David Recordon Sent: Friday, May 07, 2010 11:06 AM To: Marius Scurtescu Cc: OAuth WG Subject: Re: [OAUTH-WG] Indicating sites where a token is valid Using SWT for your access tokens seems like a reasonable way to resolve this for servers which care. On Fri, May 7, 2010 at 11:01 AM, Marius Scurtescu <mscurtescu@google.com<mailto:mscurtescu@google.com>> wrote: Returning a scope parameter with issued tokens is not a bad idea. But this, and also the sites parameter suggested by James, can both potentially be solved with a transparent token format. Such a token can make explicit the: - expiry time - scopes - sites - etc. The Simple Web Token spec goes along these lines. SWT has a parameter called Audience, which I assumed would point to the client, but it could also represent "sites". Marius On Thu, May 6, 2010 at 11:06 PM, Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>> wrote: > Additionally, I would propose to indicate the scope associated with a token > to the client using a scope response parameter. This is especially useful > (1) if the client did not pass a scope parameter but the server decided to > associate a scope based on its policy or (2) if the user decided to > authorize a subset of the requested scope only. > Regards, > Torsten. > > > > Am 07.05.2010 um 07:32 schrieb Torsten Lodderstedt > <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>>: > > what about an additional realm response value? > > If there is a binding between realm and token, the client can decide based > on the realm attribute discovered using a WWW-Authenticate response which > token to use. > > regards, > Torsten. > > Am 07.05.2010 07:06, schrieb Manger, James H: > > Every existing use of Cookies, HTTP Basic, and HTTP Digest relies on clients > being told by the server about the sites at which the secret > (cookie/password/token) can be used (and, more importantly, where is must > not be used). This occurs without requiring service-specific knowledge in > the client app. OAuth aims to replace some of these uses. > > > > HTTP Basic authentication works safely from clients with no service-specific > knowledge because the client knows not to send the password it gets from the > user to other sites. > > > > HTTP Digest authentication allows a password to used to across a set of > domains specified in a WWW-Authenticate response header, but the password > will not be used at arbitrary other sites. > > > > Cookies are sent in requests to the same site, sites with the same parent, > or only https sites, depending on details from the service when setting the > cookie. > > > > > > To date, OAuth has assumed every client app has lots of service-specific > knowledge to make these choices. OAuth needs to remove the need for so much > service-specific knowledge to be as interoperable as other standard auth > mechanism, otherwise it is a poor replacement. > > > > -- > > James Manger > > > > From: David Recordon [mailto:recordond@gmail.com<mailto:recordond@gmail.com>] > Sent: Friday, 7 May 2010 2:05 PM > To: Manger, James H > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Indicating sites where a token is valid > > > > Hey James, > > Do you have a specific example in mind where this either has been an issue > or will be an issue? Most client implementations I've seen of OAuth (and > technologies like OAuth) have a strong binding between the access token(s), > site they were issued by, and user they belong to. So I haven't heard of > this being a problem in the wild... > > > > --David > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Indicating sites where a token is valid Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Luke Shepard
- Re: [OAUTH-WG] Redirects Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Richer, Justin P.
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Brian Eaton
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav