Re: [OAUTH-WG] Concerning OAuth introspection
Anthony Nadalin <tonynad@microsoft.com> Wed, 23 January 2013 17:23 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 431AC21F85D4 for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 09:23:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level:
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMxdqE6JIDdP for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 09:23:22 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.23]) by ietfa.amsl.com (Postfix) with ESMTP id 72D8B21F85C3 for <oauth@ietf.org>; Wed, 23 Jan 2013 09:23:22 -0800 (PST)
Received: from BL2FFO11FD013.protection.gbl (10.173.161.202) by BL2FFO11HUB021.protection.gbl (10.173.161.45) with Microsoft SMTP Server (TLS) id 15.0.596.13; Wed, 23 Jan 2013 17:23:14 +0000
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD013.mail.protection.outlook.com (10.173.160.221) with Microsoft SMTP Server (TLS) id 15.0.596.13 via Frontend Transport; Wed, 23 Jan 2013 17:23:14 +0000
Received: from CO9EHSOBE029.bigfish.com (157.54.51.113) by mail.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.2.318.3; Wed, 23 Jan 2013 17:22:58 +0000
Received: from mail58-co9-R.bigfish.com (10.236.132.254) by CO9EHSOBE029.bigfish.com (10.236.130.92) with Microsoft SMTP Server id 14.1.225.23; Wed, 23 Jan 2013 17:21:50 +0000
Received: from mail58-co9 (localhost [127.0.0.1]) by mail58-co9-R.bigfish.com (Postfix) with ESMTP id BF1C6380130 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 23 Jan 2013 17:21:50 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -20
X-BigFish: PS-20(zzbb2dI98dI9371Id6eah542I1432Izz1ee6h1de0h1202h1e76h1d1ah1d2ah1082kzz1033IL8275dhz31h2a8h668h839h945hd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h9a9j1155h)
Received-SPF: softfail (mail58-co9: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT005.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB042; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en;
Received: from mail58-co9 (localhost.localdomain [127.0.0.1]) by mail58-co9 (MessageSwitch) id 1358961707729033_16687; Wed, 23 Jan 2013 17:21:47 +0000 (UTC)
Received: from CO9EHSMHS011.bigfish.com (unknown [10.236.132.252]) by mail58-co9.bigfish.com (Postfix) with ESMTP id A55205C004C; Wed, 23 Jan 2013 17:21:47 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com (157.56.240.21) by CO9EHSMHS011.bigfish.com (10.236.130.21) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 23 Jan 2013 17:21:46 +0000
Received: from BY2PR03MB042.namprd03.prod.outlook.com (10.255.241.146) by BL2PRD0310HT005.namprd03.prod.outlook.com (10.255.97.40) with Microsoft SMTP Server (TLS) id 14.16.257.4; Wed, 23 Jan 2013 17:21:43 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB042.namprd03.prod.outlook.com (10.255.241.146) with Microsoft SMTP Server (TLS) id 15.0.601.3; Wed, 23 Jan 2013 17:21:35 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) with mapi id 15.00.0601.000; Wed, 23 Jan 2013 17:21:17 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Concerning OAuth introspection
Thread-Index: AQHN+NM+tPsrUD5ZNEKigQoex6SLPZhWGdUAgAD2SICAABhS8IAAATIAgAAAnxA=
Date: Wed, 23 Jan 2013 17:21:16 +0000
Message-ID: <9a1d3f9d095e4f14b55ff99c9cf1799e@BY2PR03MB041.namprd03.prod.outlook.com>
References: <CAHA4TYtCG+o0AZzh9e-3nb6gKLaWFeJuQfBxHVmUDH5Aj+TdpQ@mail.gmail.com> <50FEE1BF.5050200@mitre.org> <-6134323107835063788@unknownmsgid> <510005F5.6000004@mitre.org> <4a060479b5374e8ba58d3c9e1b15d917@BY2PR03MB041.namprd03.prod.outlook.com> <51001B5C.80407@mitre.org>
In-Reply-To: <51001B5C.80407@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.255.156.132]
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB042.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC107.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC107.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51704002)(13464002)(479174001)(24454001)(199002)(189002)(377454001)(47736001)(33646001)(47976001)(6806001)(50986001)(56776001)(79102001)(56816002)(51856001)(76482001)(59766001)(53806001)(23736001)(5343655001)(49866001)(50466001)(47776002)(74502001)(47446002)(44976002)(74662001)(46102001)(4396001)(550184003)(54316002)(54356001)(77982001)(16676001)(31966008)(6816006)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB021; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 073515755F
Cc: Shiu Fun Poon <shiufunpoon@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Concerning OAuth introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2013 17:23:23 -0000
Registration has to work in a multi-tenant environment so flexibility is needed -----Original Message----- From: Justin Richer [mailto:jricher@mitre.org] Sent: Wednesday, January 23, 2013 9:18 AM To: Anthony Nadalin Cc: Nat Sakimura; Shiu Fun Poon; oauth@ietf.org Subject: Re: [OAUTH-WG] Concerning OAuth introspection Because then nobody would know how to actually use the thing. In my opinion, this is a key place where this kind of flexibility is a very bad thing. Registration needs to work one fairly predictable way. -- Justin On 01/23/2013 12:14 PM, Anthony Nadalin wrote: > Why not just have a physical and logical endpoint options > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Justin Richer > Sent: Wednesday, January 23, 2013 7:47 AM > To: Nat Sakimura > Cc: Shiu Fun Poon; oauth@ietf.org > Subject: Re: [OAUTH-WG] Concerning OAuth introspection > > Which brings up an interesting question for the Registration doc: right now, it's set up as a single endpoint with three operations. We could instead define three endpoints for the different operations. > > I've not been keen to make that deep of a cutting change to it, but it would certainly be cleaner and more RESTful API design. What do others think? > > -- Justin > > > On 01/22/2013 08:05 PM, Nat Sakimura wrote: >> "Action" goes against REST principle. >> I do not think it is a good idea. >> >> =nat via iPhone >> >> Jan 23, 2013 4:00、Justin Richer <jricher@mitre.org> のメッセージ: >> >>> (CC'ing the working group) >>> >>> I'm not sure what the "action/operation" flag would accomplish. The idea behind having different endpoints in OAuth is that they each do different kinds of things. The only "action/operation" that I had envisioned for the introspection endpoint is introspection itself: "I have a token, what does it mean?" >>> >>> Note that client_id and client_secret *can* already be used at this endpoint if the server supports that as part of their client credentials setup. The examples use HTTP Basic with client id and secret right now. Basically, the client can authenticate however it wants, including any of the methods that OAuth2 allows on the token endpoint. It could also authenticate with an access token. At least, that's the intent of the introspection draft -- if that's unclear, I'd be happy to accept suggested changes to clarify this text. >>> >>> -- Justin >>> >>> On 01/22/2013 01:00 PM, Shiu Fun Poon wrote: >>>> Justin, >>>> >>>> This spec is looking good.. >>>> >>>> One thing I would like to recommend is to add "action"/"operation" >>>> to the request. (and potentially add client_id and client_secret) >>>> >>>> So the request will be like : >>>> token REQUIRED >>>> operation (wording to be determine) OPTIONAL inquire (default) | revoke ... >>>> resource_id OPTIONAL >>>> client_id OPTIONAL >>>> client_secret OPTIONAL >>>> >>>> And for the OAuth client information, it should be an optional parameter (in case it is a public client or client is authenticated with SSL mutual authentication). >>>> >>>> Please consider. >>>> >>>> ShiuFun >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Nat Sakimura
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Todd W Lainhart
- Re: [OAUTH-WG] Concerning OAuth introspection Phil Hunt
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Brian Campbell
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection John Bradley
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection John Bradley
- Re: [OAUTH-WG] Concerning OAuth introspection Phil Hunt