Re: [OAUTH-WG] Securing APIs with OAuth 2.0

Pete Clark <pete@appmuscle.com> Thu, 01 March 2012 03:14 UTC

Return-Path: <pete@appmuscle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561F321E801E for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 19:14:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.023
X-Spam-Level:
X-Spam-Status: No, score=-3.023 tagged_above=-999 required=5 tests=[AWL=0.576, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Duqef8QS1Mnw for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 19:14:54 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 01B6F21F85A4 for <oauth@ietf.org>; Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received: by ggmi1 with SMTP id i1so49437ggm.31 for <oauth@ietf.org>; Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received-SPF: pass (google.com: domain of pete@appmuscle.com designates 10.236.191.100 as permitted sender) client-ip=10.236.191.100;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of pete@appmuscle.com designates 10.236.191.100 as permitted sender) smtp.mail=pete@appmuscle.com
Received: from mr.google.com ([10.236.191.100]) by 10.236.191.100 with SMTP id f64mr4387143yhn.57.1330571693693 (num_hops = 1); Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received: by 10.236.191.100 with SMTP id f64mr3445042yhn.57.1330571693610; Wed, 29 Feb 2012 19:14:53 -0800 (PST)
Received: from [10.44.251.246] (mobile-198-228-233-243.mycingular.net. [198.228.233.243]) by mx.google.com with ESMTPS id b33sm884781anb.4.2012.02.29.19.14.52 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 29 Feb 2012 19:14:53 -0800 (PST)
References: <B691F720-809F-4A9E-8C8E-6BF98EE68F07@appmuscle.com> <OF00AD6E13.25AA51DD-ON4A2579B4.00101F47-882579B4.00106E50@au1.ibm.com>
In-Reply-To: <OF00AD6E13.25AA51DD-ON4A2579B4.00101F47-882579B4.00106E50@au1.ibm.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Message-Id: <5727FEEF-AE93-46F3-813E-27DDD0DAF4F1@appmuscle.com>
X-Mailer: iPhone Mail (9A405)
From: Pete Clark <pete@appmuscle.com>
Date: Wed, 29 Feb 2012 22:14:46 -0500
To: Shane B Weeden <sweeden@au1.ibm.com>
X-Gm-Message-State: ALoCoQk+oUoGIvTEp0GCsZQ6vACklbtYtymzAMsp4RLgJQZhUshPhWpvtaXnNJ9CdYVpspyuPfZU
Cc: "oauth@ietf.org" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Securing APIs with OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2012 03:14:55 -0000

Thanks Shane!  Would love to check out your product.. Can you send a link?

--
Message typed on a tiny keyboard.  Forgive me for any 
typos!

On Feb 29, 2012, at 9:59 PM, Shane B Weeden <sweeden@au1.ibm.com> wrote:

> 1. Yes, client credentials sounds right for what you described. Think of it
> as lightweight b2b authentication in that sense (but two steps - one to get
> a token, and another to use it).
> 2. Can't help you with source - but do have a product-based solution :)
> 3. Absolutely it should for the resource server, but the answer may depend
> have same dependency on the implementation you use.
> 
> Regards,
> Shane.
> 
> 
> 
> From:    Pete Clark <pete@appmuscle.com>
> To:    "oauth@ietf.org" <oauth@ietf.org>
> Date:    29/02/2012 06:50 PM
> Subject:    [OAUTH-WG] Securing APIs with OAuth 2.0
> Sent by:    oauth-bounces@ietf.org
> 
> 
> 
> Hey all, I've joined the list because I'd like to use OAuth 2 to implement
> security for a new set of REST APIs I'm developing for a client.  I'm
> coding with PHP, but my questions are more general.  Right now, there will
> be only one web site that uses the APIs, in a server-to-server fashion, and
> currently we don't have a need for a third party application to gain access
> to user data, such that a user would need to authorize that app.  We do,
> however, want to have that ability down the road.  My question is, can I
> still use OAuth 2 in some way to implement our first phase?  From what I've
> read, it seems like the "client credentials" flow is the one I want to use
> for now.  Can someone:
> 
> 1) Confirm that that's what I should use for this first phase?
> 2) Point me to an implementation of this flow (in any language) that I
> could use or port to PHP?  I've found some libraries for php but can't
> really tell, being new, if they offer the "client credentials" flow
> 3) Answer one more question.. Will using the client credentials flow now
> allow me to move to one of the user-authorizes-external-app flows down the
> road without having to reimplement or throw away the client credentials
> flow code?
> 
> I apologize for all the questions, but these would really help point me in
> the right direction.. Thank you for reading!
> 
> Sincerely,
> Pete
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
>