Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Thu, 19 April 2012 22:25 UTC
Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6CC21F8526 for <oauth@ietfa.amsl.com>; Thu, 19 Apr 2012 15:25:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.466
X-Spam-Level:
X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYQz+aiZWAeQ for <oauth@ietfa.amsl.com>; Thu, 19 Apr 2012 15:25:47 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe002.messaging.microsoft.com [213.199.154.205]) by ietfa.amsl.com (Postfix) with ESMTP id 87C2E21F850C for <oauth@ietf.org>; Thu, 19 Apr 2012 15:25:46 -0700 (PDT)
Received: from mail5-am1-R.bigfish.com (10.3.201.238) by AM1EHSOBE006.bigfish.com (10.3.204.26) with Microsoft SMTP Server id 14.1.225.23; Thu, 19 Apr 2012 22:25:45 +0000
Received: from mail5-am1 (localhost [127.0.0.1]) by mail5-am1-R.bigfish.com (Postfix) with ESMTP id 7307C3201FD for <oauth@ietf.org>; Thu, 19 Apr 2012 22:25:45 +0000 (UTC)
X-SpamScore: -26
X-BigFish: VPS-26(zzbb2dI9371Ic85fh98dK14ffIzz1202hzz1033IL8275bh8275dhz2fh2a8h683h839hd25h)
X-Forefront-Antispam-Report: CIP:192.160.210.20; KIP:(null); UIP:(null); IPV:NLI; H:il27msg01.am.mot-solutions.com; RD:il27msg01.mot-solutions.com; EFVD:NLI
Received-SPF: pass (mail5-am1: domain of motorolasolutions.com designates 192.160.210.20 as permitted sender) client-ip=192.160.210.20; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il27msg01.am.mot-solutions.com ; olutions.com ;
Received: from mail5-am1 (localhost.localdomain [127.0.0.1]) by mail5-am1 (MessageSwitch) id 1334874343894835_14087; Thu, 19 Apr 2012 22:25:43 +0000 (UTC)
Received: from AM1EHSMHS008.bigfish.com (unknown [10.3.201.234]) by mail5-am1.bigfish.com (Postfix) with ESMTP id D49EF120057 for <oauth@ietf.org>; Thu, 19 Apr 2012 22:25:43 +0000 (UTC)
Received: from il27msg01.am.mot-solutions.com (192.160.210.20) by AM1EHSMHS008.bigfish.com (10.3.207.108) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 19 Apr 2012 22:25:43 +0000
Received: from il27msg01.am.mot-solutions.com (ct11vts02.am.mot.com [10.177.16.160]) by il27msg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q3JMbQUV028814 for <oauth@ietf.org>; Thu, 19 Apr 2012 17:37:27 -0500 (CDT)
Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe006.messaging.microsoft.com [213.199.154.144]) by il27msg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q3JMbP6A028805 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Thu, 19 Apr 2012 17:37:26 -0500 (CDT)
Received: from mail75-db3-R.bigfish.com (10.3.81.243) by DB3EHSOBE001.bigfish.com (10.3.84.21) with Microsoft SMTP Server id 14.1.225.23; Thu, 19 Apr 2012 22:25:38 +0000
Received: from mail75-db3 (localhost [127.0.0.1]) by mail75-db3-R.bigfish.com (Postfix) with ESMTP id 5593D1E0722 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 19 Apr 2012 22:25:38 +0000 (UTC)
Received: from mail75-db3 (localhost.localdomain [127.0.0.1]) by mail75-db3 (MessageSwitch) id 1334874336201175_32368; Thu, 19 Apr 2012 22:25:36 +0000 (UTC)
Received: from DB3EHSMHS002.bigfish.com (unknown [10.3.81.246]) by mail75-db3.bigfish.com (Postfix) with ESMTP id 2CDFEA0479; Thu, 19 Apr 2012 22:25:36 +0000 (UTC)
Received: from BL2PRD0410HT003.namprd04.prod.outlook.com (157.56.240.85) by DB3EHSMHS002.bigfish.com (10.3.87.102) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 19 Apr 2012 22:25:35 +0000
Received: from BL2PRD0410MB363.namprd04.prod.outlook.com ([169.254.3.84]) by BL2PRD0410HT003.namprd04.prod.outlook.com ([10.255.99.38]) with mapi id 14.16.0143.004; Thu, 19 Apr 2012 22:25:35 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Using OAuth to get a JWT/SAML token
Thread-Index: AQHNHnkKVdHTUrYT/0+qOjOa2wdFq5aiuSuw
Date: Thu, 19 Apr 2012 22:25:34 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A909785B@BL2PRD0410MB363.namprd04.prod.outlook.com>
References: <59E470B10C4630419ED717AC79FCF9A906E74E@CH1PRD0410MB369.namprd04.prod.outlook.com> <4F885680.5090801@mitre.org> <59E470B10C4630419ED717AC79FCF9A9090519@CH1PRD0410MB369.namprd04.prod.outlook.com> <CA+k3eCQAq18kuXgwbSvzR4JJKqsJFQHoeU-+9UBYBNk6+3eTZQ@mail.gmail.com>
In-Reply-To: <CA+k3eCQAq18kuXgwbSvzR4JJKqsJFQHoeU-+9UBYBNk6+3eTZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [150.130.9.149]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A909785BBL2PRD0410MB363na_"
MIME-Version: 1.0
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: BL2PRD0410HT003.namprd04.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: -1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-rules-execution-history: Sample Spam Submissions
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False;00160000;True;;
X-OrganizationHeadersPreserved: BL2PRD0410HT003.namprd04.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%PINGIDENTITY.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%MITRE.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2012 22:25:50 -0000
Hi Brian, I was also looking at the resource owner credentials flow, but it seems limited to username & password ... it's not clear that it would work with stronger authentication methods such as RSA. Thoughts? adam From: Brian Campbell [mailto:bcampbell@pingidentity.com] Sent: Thursday, April 19, 2012 5:08 PM To: Lewis Adam-CAL022 Cc: Justin Richer; oauth@ietf.org Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token A browser isn't required. The browser based flows are pretty common with OAuth but they are certainly not the only way to get a token. The resource owner credentials and client credentials grant types are both involve only direct communication between the client and the AS. And there are also the SAML and JWT grants that allow a client to get an access token directly from an AS without a browser being involved. On Thu, Apr 19, 2012 at 3:37 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com<mailto:Adam.Lewis@motorolasolutions.com>> wrote: Hi Justin, There is one thing I have not understood about the whole external browser vs. embedded browser guidance ... and that is, why is *any* browser needed? Java for example has an HTTP library, and OAuth is RESTful. So why is it necessary to require the web browser at all, whether external or embedded? Why can't my native client make RESTful API calls to the AS and RS natively? Tx! adam From: Justin Richer [mailto:jricher@mitre.org<mailto:jricher@mitre.org>] Sent: Friday, April 13, 2012 11:38 AM To: Lewis Adam-CAL022 Cc: oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token If the mobile device has a web browser (such as a smart phone), then this is pretty easy, and you've got a couple of options. One of the best options when the token is on behalf of an end user is, in my opinion, to use the authorization code flow like this: First, register what's called a "public client" with your server -- so you'll get an ID but not a client secret. With that client ID, register a custom-scheme callback URI, like "myapp://oauthcallback", and register your app on the device as the handler for "myapp". In your application, to start things off, you fire off a web browser to the authorization server's authorization endpoint. The user logs in to the authorization server through the web browser, approves this copy of your app, and gets redirected to "myapp://oauthcallback?code=basdf132". Your app grabs the "myapp://" url and plucks the authorization code off the end of it. Your app then takes that code and sends it in the background to the token endpoint to exchange for a token. Some key points: 1) You need to have access to a web browser on the platform, and it's considered best practice to push the user to the external browser application on the platform instead of embedding one. There are a couple paragraphs in the spec's security considerations section that talk about this. 2) Your app is "public" because you can't publish it with a secret at configuration time. It can, however, keep the tokens secret at runtime. 3) You need to be very careful with how you store the tokens on the device -- they need to be in a trusted space where other apps on the device can't sniff them out. 4) Another app can try to register "myapp://" and intercept your code on the way through, so make sure your codes are all one time use and short lived. None of this is just theoretically possible, people are doing it today. What libraries and stuff you'd be after depends wholly on your platform (both server and client side). -- Justin On 04/12/2012 03:01 PM, Lewis Adam-CAL022 wrote: Hi all, I've been talking to some of you off line about this already, but I need some help in terms of implementation. I would like to use OAuth as a means to get either a JWT or SAML token to a client running on a handheld device. This is something that I'm looking to prototype (as part of a larger project) beginning this week. So, it is important to me to understand the divide between what is theoretically possible and what is actually possible. Anybody aware of any implementations out there, either vendor or open source, that I can use for this? Tx! adam _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Justin Richer
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token John Bradley
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Paul Madsen
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Brian Campbell
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Lewis Adam-CAL022
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token John Bradley
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token William Mills
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Brian Campbell
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Paul Madsen
- Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token Justin Richer