Re: [OAUTH-WG] Grant flow for delegated auth
Brian Campbell <bcampbell@pingidentity.com> Thu, 24 May 2018 16:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED67412DA2C for <oauth@ietfa.amsl.com>; Thu, 24 May 2018 09:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ysvfVoXs1V1 for <oauth@ietfa.amsl.com>; Thu, 24 May 2018 09:54:58 -0700 (PDT)
Received: from mail-io0-x243.google.com (mail-io0-x243.google.com [IPv6:2607:f8b0:4001:c06::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDF0F12E6D7 for <oauth@ietf.org>; Thu, 24 May 2018 09:54:57 -0700 (PDT)
Received: by mail-io0-x243.google.com with SMTP id o185-v6so3130743iod.0 for <oauth@ietf.org>; Thu, 24 May 2018 09:54:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NtixEvU5uz1WD38fT1nqLEHjm7zZUoG488LHFBGpLWw=; b=mxhDCnuSzFUxh0jEdlhA3x6QOgg1+G9TC2qhEnT2sxjQ+ZsXlMI6hXDU1qYNY3su2F nzTAJHwz2lLBMGLkwHtgnO6Vj5lnFGDz/rxO6GeptsHAOrtejCivQWRx2U4hClXk81xF Ndl3DswfsHH8Qv4sX1U6MXgwU/TJJvWfQncbw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NtixEvU5uz1WD38fT1nqLEHjm7zZUoG488LHFBGpLWw=; b=uRMevCT9P4O0mlh/qecqpS9FnrAOB7LoNUFbj0Hznh5/H7DUq9JKAfvfsK4nswKijh 92W4MGCFGfh6tPjmFC5IAGp8AqlANoqdklDaSwDqtibP8ZE1Qvx9B9Zr+dYdlU5Dv1zT FTJdnB/jzTqxm43WkJ2kFORRaiFfOrs4tsAXICJVC5iOhb5gV58VPLeq67xH71EKNQ94 7HYPWKQ+8xfCFOXXm+1uopyeHQU9YMDCs2s9EdnJnKcTNvA79P9WkZvzfy11UPa3t5Do C/D6OV5xmoIDDX4WQsq8vhNAKg8gcfI8PVm1QpFroUnb90OO/043BQ6d4Cg678nc4RyY HBeA==
X-Gm-Message-State: ALKqPwf978PVCEhroIEk9tMMWYcaw3xr6gEPeJ/SYoWpJ+f7ITJzgQaV LoGX5VF3WsrZc8GnZXiaolDl2rWDGOoi8gI1dSd+RUEki0/cNm2MAt4lHU9ZD5r2PH1gNUmyzIp C90JDaEyz0UtTNA==
X-Google-Smtp-Source: AB8JxZpqoXGdWvH0nNBiz+64ti1aje4OxXkMtCFh3ItjGAxRune3ktQrT0BJ42zZAeeY0PBK2jcuJLeTbQnVT13ywtk=
X-Received: by 2002:a6b:630d:: with SMTP id p13-v6mr5524849iog.17.1527180896994; Thu, 24 May 2018 09:54:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Thu, 24 May 2018 09:54:26 -0700 (PDT)
In-Reply-To: <CADR0UcVJk+rCdmOHKbmvQN_Paa8OjX-nnTKFoZ0g2GGfBOZQVQ@mail.gmail.com>
References: <CADR0UcVJk+rCdmOHKbmvQN_Paa8OjX-nnTKFoZ0g2GGfBOZQVQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 24 May 2018 10:54:26 -0600
Message-ID: <CA+k3eCSNJ0+2WaLrB0kQ4cfWdQCQaKcndSb64DCr40sHBq6hAw@mail.gmail.com>
To: Sergey Ponomarev <stokito@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dfcbb2056cf682d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lgJWsVAyJx9E1w8NuXNOG0JyN04>
Subject: Re: [OAUTH-WG] Grant flow for delegated auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 16:55:00 -0000
Take a look at RFC 7523 <https://tools.ietf.org/html/rfc7523>'s JWT Authorization Grant. On Thu, May 24, 2018 at 1:17 AM, Sergey Ponomarev <stokito@gmail.com> wrote: > Hi, > > My Auth Server (AS) implementation has a client (server of another > platform) which makes authorization on it's side but it needs to populate > user info to my AS and receive an access token to work with my my platform. > What I mean that they need just login user to my platform but without > user's credentials. > So user's credentials are on client side but session management (login, > logout) on my platform's side. As I understood, this is something similar > to federation. > > We can't use a Password Grant Flow in this case because the client will > not send a user's password. Also my AS needs some basic use info and > instead of pulling a user info from AS the client push it. > I going to introduce and implement a new grant flow, let's call it > "delegated" and it looks similar to Password grant flow but without user's > password and it receives id_token with user's info. > POST request to Token Endpoint with form params: grant_type=delegated,c > lient_id,client_secret,username,scope and id_token: > > curl -X POST \ > https://authserver/oauth/token \ > -H 'Content-Type: application/x-www-form-urlencoded' \ > -d 'grant_type=delegated&client_id=acme&client_secret= > acmesecret&username=user&scope=openid&id_token= > eyJraWQiOiIxZTlnZGs3IiwiYWxnIjoiUlMyNTYifQ.ewogImlz% > 0AcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4% > 0AMjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAi% > 0Abi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEz% > 0AMTEyODA5NzAsCiAibmFtZSI6ICJKYW5lIERvZSIsCiAiZ2l2ZW5fbmFtZSI6% > 0AICJKYW5lIiwKICJmYW1pbHlfbmFtZSI6ICJEb2UiLAogImdlbmRlciI6ICJm% > 0AZW1hbGUiLAogImJpcnRoZGF0ZSI6ICIwMDAwLTEwLTMxIiwKICJlbWFpbCI6% > 0AICJqYW5lZG9lQGV4YW1wbGUuY29tIiwKICJwaWN0dXJlIjogImh0dHA6Ly9l% > 0AeGFtcGxlLmNvbS9qYW5lZG9lL21lLmpwZyIKfQ.rHQjEmBqn9Jre0OLykYNn% > 0AspA10Qql2rvx4FsD00jwlB0Sym4NzpgvPKsDjn_wMkHxcp6CilPcoKrWHcip% > 0AR2iAjzLvDNAReF97zoJqq880ZD1bwY82JDauCXELVR9O6_B0w3K-E7yM2mac% > 0AAAgNCUwtik6SjoSUZRcf-O5lygIyLENx882p6MtmwaL1hd6qn5R > ZOQ0TLrOY%0Au0532g9Exxcm-ChymrB4xLykpDj3lUivJt63eEGGN6DH5K6o33TcxkIjNrCD% > 0A4XB1CKKumZvCedgHHF3IAK4dVEDSUoGlH9z4pP_eWYNXvqQOjGs- > rDaQzUHl%0A6cQQWNiDpWOl_lxXjQEvQ' > > And response contains access_token. > > So my question is: maybe something similar already exists in specification? > If no, then what usually used in this case? > > Regards, > Sergey Ponomarev <https://linkedin.com/in/stokito> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Grant flow for delegated auth Sergey Ponomarev
- Re: [OAUTH-WG] Grant flow for delegated auth Brian Campbell