IETF Logo Mail Archive

Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Anthony Nadalin <tonynad@microsoft.com> Thu, 01 August 2013 14:26 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B106521E81D1 for <oauth@ietfa.amsl.com>; Thu, 1 Aug 2013 07:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.754
X-Spam-Level:
X-Spam-Status: No, score=-0.754 tagged_above=-999 required=5 tests=[AWL=-0.888, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0kLfnN9-cSG for <oauth@ietfa.amsl.com>; Thu, 1 Aug 2013 07:26:11 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by ietfa.amsl.com (Postfix) with ESMTP id 9D35121E81D0 for <oauth@ietf.org>; Thu, 1 Aug 2013 07:25:59 -0700 (PDT)
Received: from mail64-ch1-R.bigfish.com (10.43.68.249) by CH1EHSOBE020.bigfish.com (10.43.70.77) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 14:25:58 +0000
Received: from mail64-ch1 (localhost [127.0.0.1]) by mail64-ch1-R.bigfish.com (Postfix) with ESMTP id E1A332E011E for <oauth@ietf.org>; Thu, 1 Aug 2013 14:25:57 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -24
X-BigFish: VS-24(zf7Izbb2dI98dI9371I936eI1b0bIc85dh4015I1447Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz8275ch16d858h1de098h1033IL177df4h17326ah18c673h1de096h18602eh5eeeK8275bh8275dh1de097hz2fh2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail64-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14MLTC104.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail64-ch1 (localhost.localdomain [127.0.0.1]) by mail64-ch1 (MessageSwitch) id 1375367154242787_25857; Thu, 1 Aug 2013 14:25:54 +0000 (UTC)
Received: from CH1EHSMHS031.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.249]) by mail64-ch1.bigfish.com (Postfix) with ESMTP id 368C240047 for <oauth@ietf.org>; Thu, 1 Aug 2013 14:25:54 +0000 (UTC)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS031.bigfish.com (10.43.70.31) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 14:25:51 +0000
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.80) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.3.136.1; Thu, 1 Aug 2013 14:25:06 +0000
Received: from mail64-ch1-R.bigfish.com (10.43.68.234) by CH1EHSOBE001.bigfish.com (10.43.70.51) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 14:24:56 +0000
Received: from mail64-ch1 (localhost [127.0.0.1]) by mail64-ch1-R.bigfish.com (Postfix) with ESMTP id 50A902E026B for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 1 Aug 2013 14:24:56 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(164054003)(69234005)(479174003)(2473001)(377454003)(377424004)(199002)(189002)(24454002)(51914003)(243025003)(56816003)(77096001)(16236675002)(19580385001)(54356001)(83322001)(53806001)(51856001)(15395725003)(83072001)(76482001)(74876001)(69226001)(59766001)(77982001)(80976001)(74706001)(65816001)(50986001)(47976001)(49866001)(4396001)(14971765001)(54316002)(46102001)(74662001)(74316001)(19580405001)(19300405004)(80022001)(16406001)(33646001)(79102001)(15202345003)(74366001)(76786001)(56776001)(76796001)(74502001)(76576001)(47446002)(63696002)(81542001)(31966008)(19580395003)(47736001)(561944002)(81342001)(42262001)(3826001)(24736002)(579004); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:df8:0:16:64be:106e:d85e:832c; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail64-ch1 (localhost.localdomain [127.0.0.1]) by mail64-ch1 (MessageSwitch) id 1375367093706879_25153; Thu, 1 Aug 2013 14:24:53 +0000 (UTC)
Received: from CH1EHSMHS019.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.252]) by mail64-ch1.bigfish.com (Postfix) with ESMTP id 9993540047; Thu, 1 Aug 2013 14:24:53 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by CH1EHSMHS019.bigfish.com (10.43.70.19) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 14:24:51 +0000
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP Server (TLS) id 14.16.341.1; Thu, 1 Aug 2013 14:24:48 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.731.16; Thu, 1 Aug 2013 14:24:46 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) with mapi id 15.00.0731.000; Thu, 1 Aug 2013 14:24:45 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Richer, Justin P." <jricher@mitre.org>, Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
Thread-Index: AQHOjrzrB7oIuEtdp0eKYUYk4XQsUpmAZYIAgAABQmA=
Date: Thu, 01 Aug 2013 14:24:44 +0000
Message-ID: <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org>
In-Reply-To: <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:df8:0:16:64be:106e:d85e:832c]
x-forefront-prvs: 0925081676
Content-Type: multipart/alternative; boundary="_000_f4b99e49fbdd4e22b19391cdb720b15dBY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB191.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%ORACLE.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%YAHOO.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC104.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 14:26:42 -0000

I believe it beneficial to have a common format and common values, and 1 way to handle the format and values. I believe that having this in oauth is beneficial, I believe that it would also be beneficial for OpenID if this were in oauth. There are cases for signed and unsigned formats.

From: Richer, Justin P. [mailto:jricher@mitre.org]
Sent: Thursday, August 1, 2013 7:15 AM
To: Nat Sakimura
Cc: Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Also, it's (optionally) a token in the proposed document we're discussing (§2.4.1), which means there are two ways to parse the same information. OIDC uses JWTs for everything, signed and unsigned. This means that OIDC is actually simpler from an implementation perspective, wouldn't you say? Instead of having two parsers, you have one to cover both cases.

(And given your tendency to throw signed assertions at every problem, I would have thought that you'd prefer this anyway.)

 -- Justin

On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
 wrote:


Yes, it is a Token.
No, it does not have to be signed.

As to be a token or not to be a token question, it has been discussed in the WG before, and if I remember correctly,  Microsoft argued for token saying that it is just base64 decoding and I lost there.
Nat

On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote:
You can't do this, first openid uses a token and second it's signed, third there is no specification to just return a authentication JSON structure

From: Richer, Justin P. [mailto:jricher@mitre.org]
Sent: Thursday, August 1, 2013 5:15 AM
To: Anthony Nadalin
Cc: Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Tony, you can already return the authn result from the token request (we discussed this specifically in May as I recall). That's what the "idtoken" and "code idtoken" responses are for in OpenID Connect. The proposed draft is nearly a duplicate of the core functionality of OIDC.

 -- Justin

On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>
 wrote:

The proposal does not duplicate what OpenID does, there is clear benefit for returning an authentication result in the token request result. This is being proposed as optional JSON structure.

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-<mailto:oauth->bounces@ietf.org<mailto:bounces@ietf.org>] On Behalf Of Bill Mills
Sent: Wednesday, July 31, 2013 2:50 PM
To: Prateek Mishra; Nat Sakimura
Cc: oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Rather than extending OAuth for something OpenID already does...  why don't we get a simple informational example doc to show how to implement the most basic OpenID service, which is the same functionality on a standard that's already written?

This is sounding more and mor elike a documentation problem.

________________________________
From: Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracle.com>>
To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
Cc: "oauth@ietf.org WG<mailto:oauth@ietf.org%20WG>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Sent: Wednesday, July 31, 2013 2:38 PM
Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Nat -

thanks for the detailed response. I did review the links you sent out but it remained unclear to me which
features are MTI and which are not. For example, there is nothing in the Basic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for " non-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft specification text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which described several different
operational modes and explained how only a small set of features needed to be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth community to consider the need for
a minimal extension to OAuth that accommodates authentication. The community should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html

and that there doesn't appear to be a simple solution that is currently available. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek


Inline:
2013/7/31 Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracle.com>>
Nat -

your blog posting is helpful to those of us who are looking for a minimal extension of OAuth with
an authenticator.  Many implementors are seeking a modest extension of OAuth, not an entire new protocol
stack.   I believe that is the point of Phil Hunt's proposal to the OAuth committee.

I do have some questions for about the statements made in the blog -

A) Can you direct me to a single OpenID Connect draft specification document where steps 1 and 2 are described?

Actually, it is not a single spec, that the Standard is referencing others.
The Standard is kind of cluttered because it has 6 response types and three request types in it.
I suppose it would be much easier for the readers to split them into coherent pieces, though that means duplicate texts.

The easiest approach here is to read the Basic Client Profile. http://openid.net/specs/openid-connect-basic-1_0-28.html
Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html .


B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect implementation? Are there no
other MTI protocol exchanges in OpenID Connect?

Yes, for a non-dynamic OpenID Connect Server.

Nat


Thanks,
prateek




I have written a short blog post titled "Write an OpenID Connect server in three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-server-in-three-simple-steps/>".

Really, there is not much you need to on top of OAuth 2.0.

It puzzles me why you need to create a draft with only minor variances in parameter names.

e.g.,
session instead of id_token
lat instead of iat
alv instead of acr
etc.

If you change those parameter names, you will have a conformant profile of OpenID Connect.

Nat

2013/7/31 John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Connect dosen't require a userinfo endpoint.   It is required for interoperability if you are building an open IdP.   For an enterprise type deployment discovery, registration, userifo are all optional.

The server is required to pass the nonce which is equivalent to a request ID through to the JWT if the client sends it in the request.

Justin is correct.

John B.

On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:


Forgot reply all.

Phil

Begin forwarded message:
From: Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
Date: 30 July, 2013 17:25:46 GMT+02:00
To: "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
The whole point is authn only. Many do not want or need the userinfo endpoint.

Phil

On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>> wrote:
What do you mean? You absolutely can implement a compliant OIDC server nearly as simply as this. The things that you're missing I think are necessary for basic interoperable functionality, and are things that other folks using OAuth for authentication have also implemented. Namely:

 - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT). Without a signed and verifiable ID token or equivalent, you're asking for all kinds of token injection problems.
 - Session management requests (max auth age, auth time)
 - Not fall over with other parameters that you don't support (display, prompt, etc).

See here for more information:

 http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI

Additionally, something that's really important to support is the User Info Endpoint, so you can actually get user profile information beyond just the simple "someone was here" claim -- this was the real value of Facebook Connect from an RP's perspective. Some people will probably want to use SCIM for this, too, and that's fine.

 -- Justin

On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
 wrote:


The oidc specs do not allow this simple an implementation. The spec members have not shown interest in making changes as they say they are too far down the road.

I have tried to make my draft as close as possible to oidc but maybe it shouldn't be clarity wise. I am interested in what the group feels is clearest.

>From an ietf perspective the concern is improper use of the 6749 for authn. Is this a bug or gap we need to address?

Phil

On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>> wrote:
>From what I read, you've defined something that uses an OAuth 2 code flow to get an extra token which is specified as a JWT. You named it "session_token" instead of "id_token", and you've left off the User Information Endpoint -- but other than that, this is exactly the Basic Client for OpenID Connect. In other words, if you change the names on things you've got OIDC, but without the capabilities to go beyond a very basic "hey there's a user here" claim. This is the same place that OpenID 2.0 started, and it was very, very quickly extended with SREG, AX, PAPE, and others for it to be useful in the real world of distributed logins. You've also left out discovery and registration which are required for distributed deployments, but I'm guessing that those would be modular components that could be added in (like they are in OIDC).

I've heard complaints that OIDC is complicated, but it's really not. Yes, I agree that the giant stack of documents is intimidating and in my opinion it's a bit of a mess with Messages and Standard split up (but I lost that argument years ago). However, at the core, you've got an OAuth2 authorization server that spits out access tokens and id tokens. The id token is a JWT with some known claims (iss, sub, etc) and is issued along side the access token, and its audience is the *client* and not the *protected resource*. The access token is a regular old access token and its format is undefined (so you can use it with an existing OAuth2 server setup, like we have), and it can be used at the User Info Endpoint to get profile information about the user who authenticated. It could also be used for other services if your AS/IdP protects multiple things.

So I guess what I'm missing is what's the value proposition in this spec when we have something that can do this already? And this doesn't seem to do anything different (apart from syntax changes)?

 -- Justin

On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:


FYI.  I have been noticing a substantial number of sites acting as OAuth Clients using OAuth to authenticate users.

I know several of us have blogged on the issue over the past year so I won't re-hash it here.  In short, many of us recommended OIDC as the correct methodology.

Never-the-less, I've spoken with a number of service providers who indicate they are not ready to make the jump to OIDC, yet they agree there is a desire to support authentication only (where as OIDC does IDP-like services).

This draft is intended as a minimum authentication only specification.  I've tried to make it as compatible as possible with OIDC.

For now, I've just posted to keep track of the issue so we can address at the next re-chartering.

Happy to answer questions and discuss.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>




Begin forwarded message:


From:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Date:29 July, 2013 9:49:41 AM GMT+02:00
To:Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Phil Hunt <None@ietfa.amsl.com<mailto:None@ietfa.amsl.com>>, Phil Hunt <>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename: draft-hunt-oauth-v2-user-a4c
Revision: 00
Title: OAuth 2.0 User Authentication For Client
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 9
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00


Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session information to be shared with client
  applications.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available attools.ietf.org<http://tools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email