Re: [OAUTH-WG] Securing APIs with OAuth 2.0
Pete Clark <pete@appmuscle.com> Thu, 01 March 2012 03:14 UTC
Return-Path: <pete@appmuscle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561F321E801E for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 19:14:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.023
X-Spam-Level:
X-Spam-Status: No, score=-3.023 tagged_above=-999 required=5 tests=[AWL=0.576, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Duqef8QS1Mnw for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 19:14:54 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 01B6F21F85A4 for <oauth@ietf.org>; Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received: by ggmi1 with SMTP id i1so49437ggm.31 for <oauth@ietf.org>; Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received-SPF: pass (google.com: domain of pete@appmuscle.com designates 10.236.191.100 as permitted sender) client-ip=10.236.191.100;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of pete@appmuscle.com designates 10.236.191.100 as permitted sender) smtp.mail=pete@appmuscle.com
Received: from mr.google.com ([10.236.191.100]) by 10.236.191.100 with SMTP id f64mr4387143yhn.57.1330571693693 (num_hops = 1); Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received: by 10.236.191.100 with SMTP id f64mr3445042yhn.57.1330571693610; Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received: from [10.44.251.246] (mobile-198-228-233-243.mycingular.net. [198.228.233.243]) by mx.google.com with ESMTPS id b33sm884781anb.4.2012.02.29.19.14.52 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 29 Feb 2012 19:14:53 -0800 (PST)
References: <B691F720-809F-4A9E-8C8E-6BF98EE68F07@appmuscle.com> <OF00AD6E13.25AA51DD-ON4A2579B4.00101F47-882579B4.00106E50@au1.ibm.com>
In-Reply-To: <OF00AD6E13.25AA51DD-ON4A2579B4.00101F47-882579B4.00106E50@au1.ibm.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Message-Id: <5727FEEF-AE93-46F3-813E-27DDD0DAF4F1@appmuscle.com>
X-Mailer: iPhone Mail (9A405)
From: Pete Clark <pete@appmuscle.com>
Date: Wed, 29 Feb 2012 22:14:46 -0500
To: Shane B Weeden <sweeden@au1.ibm.com>
X-Gm-Message-State: ALoCoQk+oUoGIvTEp0GCsZQ6vACklbtYtymzAMsp4RLgJQZhUshPhWpvtaXnNJ9CdYVpspyuPfZU
Cc: "oauth@ietf.org" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Securing APIs with OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2012 03:14:55 -0000
Thanks Shane! Would love to check out your product.. Can you send a link? -- Message typed on a tiny keyboard. Forgive me for any typos! On Feb 29, 2012, at 9:59 PM, Shane B Weeden <sweeden@au1.ibm.com> wrote: > 1. Yes, client credentials sounds right for what you described. Think of it > as lightweight b2b authentication in that sense (but two steps - one to get > a token, and another to use it). > 2. Can't help you with source - but do have a product-based solution :) > 3. Absolutely it should for the resource server, but the answer may depend > have same dependency on the implementation you use. > > Regards, > Shane. > > > > From: Pete Clark <pete@appmuscle.com> > To: "oauth@ietf.org" <oauth@ietf.org> > Date: 29/02/2012 06:50 PM > Subject: [OAUTH-WG] Securing APIs with OAuth 2.0 > Sent by: oauth-bounces@ietf.org > > > > Hey all, I've joined the list because I'd like to use OAuth 2 to implement > security for a new set of REST APIs I'm developing for a client. I'm > coding with PHP, but my questions are more general. Right now, there will > be only one web site that uses the APIs, in a server-to-server fashion, and > currently we don't have a need for a third party application to gain access > to user data, such that a user would need to authorize that app. We do, > however, want to have that ability down the road. My question is, can I > still use OAuth 2 in some way to implement our first phase? From what I've > read, it seems like the "client credentials" flow is the one I want to use > for now. Can someone: > > 1) Confirm that that's what I should use for this first phase? > 2) Point me to an implementation of this flow (in any language) that I > could use or port to PHP? I've found some libraries for php but can't > really tell, being new, if they offer the "client credentials" flow > 3) Answer one more question.. Will using the client credentials flow now > allow me to move to one of the user-authorizes-external-app flows down the > road without having to reimplement or throw away the client credentials > flow code? > > I apologize for all the questions, but these would really help point me in > the right direction.. Thank you for reading! > > Sincerely, > Pete > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Securing APIs with OAuth 2.0 Pete Clark
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Shane B Weeden
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Pete Clark
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Antonio Sanso
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Aaron Parecki
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Aaron Parecki
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Justin Richer
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Sergey Beryozkin
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Justin Richer
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Sergey Beryozkin
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Justin Richer