[oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Mon, 16 February 2009 20:48 UTC
Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BFBA3A6BCB for <oauth@core3.amsl.com>; Mon, 16 Feb 2009 12:48:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.454
X-Spam-Level:
X-Spam-Status: No, score=-1.454 tagged_above=-999 required=5 tests=[AWL=-0.714, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P1GmIzsvWGwO for <oauth@core3.amsl.com>; Mon, 16 Feb 2009 12:47:59 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id 93A6A3A6954 for <oauth@ietf.org>; Mon, 16 Feb 2009 12:47:50 -0800 (PST)
Received: (qmail invoked by alias); 16 Feb 2009 19:51:17 -0000
Received: from a91-154-108-144.elisa-laajakaista.fi (EHLO 4FIL42860) [91.154.108.144] by mail.gmx.net (mp069) with SMTP; 16 Feb 2009 20:51:17 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/Vy3gx2HLVq9w5WaRBrHT1XmYcU30/dgG8R9vJ6Z Nfhv5Fv79t+2oN
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: oauth@ietf.org
Date: Mon, 16 Feb 2009 21:52:10 +0200
Message-ID: <009e01c99070$11d33100$0201a8c0@nsnintra.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: AcmQcA387rU+CCmsTHyQ0lQ7pueWAw==
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.58
Subject: [oauth] draft-dehora-farrell-oauth-accesstoken-creds-00.txt and OAUTH Extensions in the Charter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2009 20:48:00 -0000
Stephen ask me how their document
draft-dehora-farrell-oauth-accesstoken-creds-00.txt is reflected in the
charter text.
Independent of this particular document, I believe that we should focus our
initial efforts on the Base OAUTH specification rather than working on
extensions. As such, I would say that (depending on the progress of the work
with the main specification) we should discuss extensions in the summer
timeframe.
Regarding this specific extension: I read through
draft-dehora-farrell-oauth-accesstoken-creds-00.txt and wanted to make sure
that I understood the extension correctly. Here is a message flow that Jeff
created some time ago. This document suggests to skip the message exchanges
marked as (2.*). This means that the redirect from the Service Provider to
the Customer and the subsequent steps of user authentication and
authorization are replaced with the ability to carry some username/password
in the Access token when the Consumer sends the request to the Service
Provider.
photos.example.net
+----------+
| |
| OAuth |
printer.example.com | Service |
+--------+ | Provider |
| | | |
| OAuth | |[protected|
|Consumer| |resources]|
+----+ | | | |
| UA | | [RP] | | [SP] |
+-+--+ +---+----+ +----+-----+
| | |
| 1.0. User Agent inter-| |
| acts with Consumer | |
| site [optional] | |
|<--------------------->| |
| | |
| | |
| | |
| 1.1. UA informs/directs |
| Consumer to do something |
| with a resource (photo) |
| at SP | |
|---------------------->| |
| | |
| | |
| | |
| | 1.2. Consumer attempts
| | accessing photo at SP|
| |--------------------->|
| | |
| | |
| | 1.3. SP replies with |
| | a HTTP 401 containing|
| | a "OAuth" www-authn |
| | header field |
| |<---------------------|
| | |
| | |
| | 1.4. Consumer replies|
| | with a request for |
| | "unauthorized Request|
| | Token" (uRT) via POST|
| | to SP's "request token
| | URL" |
| |--------------------->|
| | |
| | |
| | 1.5. SP issues uRT & |
| | token secret to |
| | Consumer. |
| |<---------------------|
| | |
| | |
| | |
| 2.0. Consumer redirects |
| UA to SP "User Author-| |
| ization URL" including| |
| the uRT. | |
+<- - - - - - - - - - - - | |
. | (indirected via UA) | |
. | | |
+-------------------------+--------------------->|
| | |
| | |
| | |
| | |
| 2.2. User authenticates with the Service |
| Provider (optional methods vary, realization |
| is out of scope) |
|<============================================>|
| 2.3. User grants or declines permission |
| for the Service Provider allow Consumer |
| access to the resource (photo). |
| | |
| | |
| | |
| | |
| 2.4. If permision granted, UA redirected back|
| to Consumer's "Callback URL", conveying the |
| uRT. | |
+<- - - - - - - - - - - - - - - - - - - - - - - -|
. | (indirected via UA) | |
. | | |
. | | |
+------------------------>| |
| | |
| | |
| |3.0. Consumer requests|
| |Access token, supplies|
| |uRT. |
| |--------------------->|
| | |
| | |
| | |
| |3.1. SP grants Access |
| | Token. |
| |<---------------------|
| | |
| | |
| |4.x. Consumer uses the|
| |Access Token, Access |
| |Token Secret, Consumer|
| |Key, and Consumer Secret
| |to make authenticated |
| |request(s) to the Service
| |Provider. |
| |=====================>|
| | . |
| | . |
| | . |
| | |
My personal view is that this goes a bit against the OAUTH idea. Unless the
username/password is again created using some other mechanism (which the
document does not describe) then there are vulnerability that OAUTH was
initially meant to deal with. Additionally, the result is less likely to be
easy to deploy.
As a justification for the work the following argument is provided: "HTTP
redirection to a browser is unavailable or unsuitable, such as intermediary
aggregators and mobile or settop devices." I wonder whether this is really a
problem in today's mobile devices to justify this optimization.
Maybe I just didn't capture the idea properly.
Ciao
Hannes
- [oauth] draft-dehora-farrell-oauth-accesstoken-cr… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… John Kemp
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Dorothy.Gellert
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Eran Hammer-Lahav
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… John Kemp
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Eran Hammer-Lahav
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Hannes Tschofenig
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Blaine Cook
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Blaine Cook
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell
- Re: [oauth] draft-dehora-farrell-oauth-accesstoke… Stephen Farrell