Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

[Phil Hunt <phil.hunt@oracle.com>]

Thanks everyone for the comments.

It sounds like we have multiple dimensions to introspection features and requirements: 

* there are UMA cases, 
* corporate third-party AS-RS relationships (e.g. the RS chooses a third-party AS), 
* multi-vendor cases, 
* tooling/library cases,

There’s also federation cases. Federated authorization seems like a different problem than federated authentication from a trust perspective.

Another dimension to this is methodology:
1.  Lookup by token / token id / reference
2.  Query by token / token id / reference
3.  Passing standardized information in a standardized token format or token URI.

There may be some complex privacy issues involved as well. For example, in many cases, the desire is to allow authz information *only* the actual content owner / delegator may be intentionally pseudonymous.

I would support first developing a use case document to figure out if there is an appropriate pattern that can satisfy (and simplify) a majority of cases.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Jul 29, 2014, at 3:24 PM, George Fletcher <gffletch@aol.com> wrote:

> We also have a use case where the AS is provided by a partner and the RS is provided by AOL. Being able to have a standardized way of validating and getting data about the token from the AS would make our implementation much simpler as we can use the same mechanism for all Authorization Servers and not have to implement one off solutions for each AS.
> 
> Thanks,
> George
> 
> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>> Could we have some discussion on the interop cases?
>> 
>> Is it driven by scenarios where AS and resource are separate domains? Or may this be only of interest to specific protocols like UMA?
>> 
>> From a technique principle, the draft is important and sound. I am just not there yet on the reasons for an interoperable standard. 
>> 
>> Phil
>> 
>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
>> 
>>> Yes. This spec is of special interest to the platform we're building for http://www.oasis-eu.org/
>>> 
>>> 
>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> Hi all,
>>> 
>>> during the IETF #90 OAuth WG meeting, there was strong consensus in
>>> adopting the "OAuth Token Introspection"
>>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
>>> work item.
>>> 
>>> We would now like to verify the outcome of this call for adoption on the
>>> OAuth WG mailing list. Here is the link to the document:
>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>> 
>>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
>>> as to the suitability of adopting this document as a WG work item,
>>> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>>> 
>>> The confirmation call for adoption will last until August 10, 2014.  If
>>> you have issues/edits/comments on the document, please send these
>>> comments along to the list in your response to this Call for Adoption.
>>> 
>>> Ciao
>>> Hannes & Derek
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Thomas Broyer
>>> /tɔ.ma.bʁwa.je/
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>