Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 11 August 2014 15:41 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341681A05C0 for <oauth@ietfa.amsl.com>; Mon, 11 Aug 2014 08:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level:
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6U8iVsFugAU for <oauth@ietfa.amsl.com>; Mon, 11 Aug 2014 08:41:18 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 990FB1A04AE for <oauth@ietf.org>; Mon, 11 Aug 2014 08:41:18 -0700 (PDT)
Received: from [172.16.254.105] ([80.92.114.129]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M2nfO-1WRVkq0C6Y-00sgWg; Mon, 11 Aug 2014 17:41:14 +0200
Message-ID: <53E8E424.8040106@gmx.net>
Date: Mon, 11 Aug 2014 17:41:24 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>, Mike Jones <Michael.Jones@microsoft.com>
References: <53D6896E.1030701@gmx.net> <CA+k3eCTJMAGGwt1xhOKuVrEJpQqUhTjXzUM6gx8f_XgHdXzH_A@mail.gmail.com> <42B66A8B-0F84-4AFC-A29A-2CD043ADFF76@ve7jtb.com> <CA+k3eCRNCvLof9wiNoJ28YAA-z1-xGbwHMOodFt8xqkE5GAU9w@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439AE0D742@TK5EX14MBXC293.redmond.corp.microsoft.com> <CA+k3eCSWx1mr-PajhRxvtAYUcuPS+uk5DZkHF8i7RtCWkQW6Zg@mail.gmail.com>
In-Reply-To: <CA+k3eCSWx1mr-PajhRxvtAYUcuPS+uk5DZkHF8i7RtCWkQW6Zg@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="jGDfxUeBC6K0to5GqgqUtaWPn8FOCCitJ"
X-Provags-ID: V03:K0:8H+bsC1YnlFyJ2+z9U0BC55q2lc8iTK3sWjUWlr3QTXxcrwXpru pw+jyZE6ZoDWSBg8dBPdGANIfCnFFrsWHPnqxUImZNcxFAwahiOFYrRT+f7SU/6tv1f4YLg 3tdNZGSkCA+AADl6cyu3moSs/schkBVSpg6/cPkmQ3ppAy5sFnyJwtxppUm4HcWRuPPtuF4 1bOmbvC0ERWZM+aNowBWA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/n5QLbpuQ3eftpsj7E2bHC1rqu1s
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 15:41:20 -0000
Hi Brian, we should definitely take your work into account and I recall some other drafts on the same subject being published some time ago as well. Adding more co-authors to this working group item makes a lot of sense to me. Ciao Hannes On 08/11/2014 04:42 PM, Brian Campbell wrote: > I'd be okay with that as a way forward. Frankly, of course, I'd prefer > to see draft-campbell-oauth-sts as the starting point with Mike and the > other draft-jones-oauth-token-exchange authors added as co-authors. > Regardless, there are elements from both that likely need to end up in > the final work so a consolidation of authors and concepts makes sense. > > And yes, there are lots of details that the working group will need to > decide on going forward that we shouldn't get hung up on right now. > Though I believe that deciding if the token endpoint is used for general > token exchange is an important philosophical question that should be > answered first. If the token endpoint is to be used, I strongly belie > that this token exchange should leverage and work within the constructs > provided and defined by OAuth. That's the direction I took with > draft-campbell-oauth-sts and yes that involves overloading the > access_token response parameter with something that's not always > strictly an access token. The existing token endpoint request/response > are already rather close to what one might expect in an STS type > exchange. I find there's a nice elegant simplicity to it but I also see > where that discomfort might come from. If there's consensus to not > use/overload the existing stuff, I think it'd be much more appropriate > to define a new endpoint. A lot of syntactic stuff likely falls out from > that decision.
- [OAUTH-WG] Confirmation: Call for Adoption of "OA… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin