Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 16 December 2015 22:17 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CDB51A900A for <oauth@ietfa.amsl.com>; Wed, 16 Dec 2015 14:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wc3HowF7ridi for <oauth@ietfa.amsl.com>; Wed, 16 Dec 2015 14:17:15 -0800 (PST)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A4B11A8FD4 for <oauth@ietf.org>; Wed, 16 Dec 2015 14:17:15 -0800 (PST)
Received: by mail-ig0-x229.google.com with SMTP id ph11so164311209igc.1 for <oauth@ietf.org>; Wed, 16 Dec 2015 14:17:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UZElj0VKUd/wnjV60THN95k/b1v6adwJ74S3Pe05YhY=; b=ORoTVrFIgGV7GjYOJYE1fZVwU6E6hV0q8NkoGNV60JXZNqXgukpMFT2WbWBsfXhu29 4ktpqZFPgigfinFvvOonB6KTS9zID2UCFEoCCD8v6K91b61ySMVtjEeAEOicrpH9F14M /74iLCjxsjvNsXSd4Tz+R8IDwRRVoF4n1WWBILPxfGQZh7VC4GX+W9A4J9oOlG40+SlJ 5V8P2wan/UsqgQDi9gbaoEiaiXR/9aPU9YxfYx1NqFp7IgGkgikM4Qch5fpgC8n3JQxn R7h/KADd9o10thWMYoHoxPBaYm4bnWSVh4KGjaDmechGwqhyxU8wFvjc2xq5JLJ33dV7 ahjQ==
MIME-Version: 1.0
X-Received: by 10.107.33.203 with SMTP id h194mr39838824ioh.108.1450304234600; Wed, 16 Dec 2015 14:17:14 -0800 (PST)
Received: by 10.107.34.75 with HTTP; Wed, 16 Dec 2015 14:17:14 -0800 (PST)
In-Reply-To: <BY2PR03MB442F1857A7B1936D83F18DCF5ED0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442F1857A7B1936D83F18DCF5ED0@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Wed, 16 Dec 2015 17:17:14 -0500
Message-ID: <CAGL6epKjLvuTCrdvAc1p3rz3oQQUt+VZSU_nkUCggk_Gmk_NGQ@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=001a114072e0b83e6d05270b447b
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/pNRI09iy-SrTFZmG5GLDtS1Bljg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 22:17:17 -0000

Hi Mike,

In section 2.2.1 Successful Response, the text states that refresh_token is
NOT RECOMMENDED, but it does not explain the reason behind this.
Can you please elaborate on this point and explain the rational behind this
choice?

Another question is around the impact of the new token on the subject
token.
Does a successful response mean that the Client can no longer use the
subject token?

Regards,
 Rifaat



On Mon, Dec 14, 2015 at 3:05 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> I’m happy to report that a substantially revised OAuth 2.0 Token Exchange
> draft has been published that enables a broad range of use cases, while
> still remaining as simple as possible.  This draft unifies the approaches
> taken in the previous working group draft and draft-campbell-oauth-sts,
> incorporating working group input from the in-person discussions in Prague
> and mailing list discussions.  Thanks to all for your interest in and
> contributions to OAuth Token Exchange!  Brian Campbell deserves special
> recognition for doing much of the editing heavy lifting for this draft.
>
>
>
> The core functionality remains token type independent.  That said, new
> claims are also defined to enable representation of delegation actors in
> JSON Web Tokens (JWTs).  Equivalent claims could be defined for other token
> types by other specifications.
>
>
>
> See the Document History section for a summary of the changes made.
> Please check it out!
>
>
>
> The specification is available at:
>
> ·       http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-03
>
>
>
> An HTML-formatted version is also available at:
>
> ·
> http://self-issued.info/docs/draft-ietf-oauth-token-exchange-03.html
>
>
>
>                                                           -- Mike
>
>
>
> P.S.  This note was also posted at http://self-issued.info/?p=1509 and as
> @selfissued <https://twitter.com/selfissued>.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>