Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item

Hannes Tschofenig <> Mon, 11 August 2014 15:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 341681A05C0 for <>; Mon, 11 Aug 2014 08:41:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z6U8iVsFugAU for <>; Mon, 11 Aug 2014 08:41:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 990FB1A04AE for <>; Mon, 11 Aug 2014 08:41:18 -0700 (PDT)
Received: from [] ([]) by (mrgmx102) with ESMTPSA (Nemesis) id 0M2nfO-1WRVkq0C6Y-00sgWg; Mon, 11 Aug 2014 17:41:14 +0200
Message-ID: <>
Date: Mon, 11 Aug 2014 17:41:24 +0200
From: Hannes Tschofenig <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Brian Campbell <>, Mike Jones <>
References: <> <> <> <> <> <>
In-Reply-To: <>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="jGDfxUeBC6K0to5GqgqUtaWPn8FOCCitJ"
X-Provags-ID: V03:K0:8H+bsC1YnlFyJ2+z9U0BC55q2lc8iTK3sWjUWlr3QTXxcrwXpru pw+jyZE6ZoDWSBg8dBPdGANIfCnFFrsWHPnqxUImZNcxFAwahiOFYrRT+f7SU/6tv1f4YLg 3tdNZGSkCA+AADl6cyu3moSs/schkBVSpg6/cPkmQ3ppAy5sFnyJwtxppUm4HcWRuPPtuF4 1bOmbvC0ERWZM+aNowBWA==
X-UI-Out-Filterresults: notjunk:1;
Cc: "" <>, "" <>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Aug 2014 15:41:20 -0000

Hi Brian,

we should definitely take your work into account and I recall some other
drafts on the same subject being published some time ago as well.

Adding more co-authors to this working group item makes a lot of sense
to me.


On 08/11/2014 04:42 PM, Brian Campbell wrote:
> I'd be okay with that as a way forward. Frankly, of course, I'd prefer
> to see draft-campbell-oauth-sts as the starting point with Mike and the
> other draft-jones-oauth-token-exchange authors added as co-authors.
> Regardless, there are elements from both that likely need to end up in
> the final work so a consolidation of authors and concepts makes sense.
> And yes, there are lots of details that the working group will need to
> decide on going forward that we shouldn't get hung up on right now.
> Though I believe that deciding if the token endpoint is used for general
> token exchange is an important philosophical question that should be
> answered first. If the token endpoint is to be used, I strongly belie
> that this token exchange should leverage and work within the constructs
> provided and defined by OAuth. That's the direction I took with
> draft-campbell-oauth-sts and yes that involves overloading the
> access_token response parameter with something that's not always
> strictly an access token. The existing token endpoint request/response
> are already rather close to what one might expect in an STS type
> exchange. I find there's a nice elegant simplicity to it but I also see
> where that discomfort might come from. If there's consensus to not
> use/overload the existing stuff, I think it'd be much more appropriate
> to define a new endpoint. A lot of syntactic stuff likely falls out from
> that decision.