IETF Logo Mail Archive

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

George Fletcher <gffletch@aol.com> Wed, 30 July 2014 13:32 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB521A0047 for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 06:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dj7OdRpgT23Y for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 06:32:21 -0700 (PDT)
Received: from omr-d02.mx.aol.com (omr-d02.mx.aol.com [205.188.109.194]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 976031A0030 for <oauth@ietf.org>; Wed, 30 Jul 2014 06:32:20 -0700 (PDT)
Received: from mtaout-aai01.mx.aol.com (mtaout-aai01.mx.aol.com [172.27.2.97]) by omr-d02.mx.aol.com (Outbound Mail Relay) with ESMTP id B248F702C885D; Wed, 30 Jul 2014 09:32:19 -0400 (EDT)
Received: from [10.181.176.18] (unknown [10.181.176.18]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aai01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 5DC943800008C; Wed, 30 Jul 2014 09:32:19 -0400 (EDT)
Message-ID: <53D8F3E0.3050908@aol.com>
Date: Wed, 30 Jul 2014 09:32:16 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>, Phil Hunt <phil.hunt@oracle.com>, Thomas Broyer <t.broyer@gmail.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D81F2C.2060700@aol.com> <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439ADF77B2@TK5EX14MBXC293.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------070708080106060402070906"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5600.1067/98281
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20140625; t=1406727139; bh=rZ1R8iZTXfjUm+Uz5zmUXnJQzvZKMYKhHz2sXlOMc5c=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=EhDr/9WayK8zf8I5F19UJZVqpPnG5i0S0Hr9fL4MTHSHwkMSJjiQF/7ADAxra8ZSV KZGQEtFC5CvjgeleBaxw4mBnh45MQcBwHh7Uc5TVo8QwInFmC6vpTSAJfPYZeahMSL 9ijy6bBEpZgd6FkBdFk76j2OiyZmV9L4rl2ZbdXY=
x-aol-sid: 3039ac1b026153d8f3e349d1
X-AOL-IP: 10.181.176.18
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qSp7dDp-3tQxG7XWNAwbf3ehAEk
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 13:32:23 -0000

Actually there is both:) There is a JWS that contains an opaque token 
from the partner AS. We "introspect" the opaque token with the partner 
at every JWS validation to ensure the authorization is still valid. This 
is a risk decisions agreed to by both parties. Obviously there are other 
ways to solve that part of the problem.

So even though there is a JWS involved, it doesn't necessarily remove 
the need for introspection.

Thanks,
George

On 7/29/14, 8:16 PM, Mike Jones wrote:
>
> Did you consider standardizing the access token format within that 
> deployment so all the parties that needed to could understand it, 
> rather requiring an extra round trip to an introspection endpoint so 
> as to be able to understand things about it?
>
> I realize that might or might not be practical in some cases, but I 
> haven’t heard that alternative discussed, so I thought I’d bring it up.
>
> I also second Phil’s comment that it would be good to understand the 
> use cases that this is intended to solve before embarking on a 
> particular solution path.
>
> -- Mike
>
> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George 
> Fletcher
> *Sent:* Tuesday, July 29, 2014 3:25 PM
> *To:* Phil Hunt; Thomas Broyer
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 
> Token Introspection" as an OAuth Working Group Item
>
> We also have a use case where the AS is provided by a partner and the 
> RS is provided by AOL. Being able to have a standardized way of 
> validating and getting data about the token from the AS would make our 
> implementation much simpler as we can use the same mechanism for all 
> Authorization Servers and not have to implement one off solutions for 
> each AS.
>
> Thanks,
> George
>
> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>
>     Could we have some discussion on the interop cases?
>
>     Is it driven by scenarios where AS and resource are separate
>     domains? Or may this be only of interest to specific protocols
>     like UMA?
>
>     From a technique principle, the draft is important and sound. I am
>     just not there yet on the reasons for an interoperable standard.
>
>     Phil
>
>
>     On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com
>     <mailto:t.broyer@gmail.com>> wrote:
>
>         Yes. This spec is of special interest to the platform we're
>         building for http://www.oasis-eu.org/
>
>         On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig
>         <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>
>         wrote:
>
>         Hi all,
>
>         during the IETF #90 OAuth WG meeting, there was strong
>         consensus in
>         adopting the "OAuth Token Introspection"
>         (draft-richer-oauth-introspection-06.txt) specification as an
>         OAuth WG
>         work item.
>
>         We would now like to verify the outcome of this call for
>         adoption on the
>         OAuth WG mailing list. Here is the link to the document:
>         http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>
>         If you did not hum at the IETF 90 OAuth WG meeting, and have
>         an opinion
>         as to the suitability of adopting this document as a WG work item,
>         please send mail to the OAuth WG list indicating your opinion
>         (Yes/No).
>
>         The confirmation call for adoption will last until August 10,
>         2014.  If
>         you have issues/edits/comments on the document, please send these
>         comments along to the list in your response to this Call for
>         Adoption.
>
>         Ciao
>         Hannes & Derek
>
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>         -- 
>         Thomas Broyer
>         /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>     _______________________________________________
>
>     OAuth mailing list
>
>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/oauth
>

-- 
George Fletcher <http://connect.me/gffletch>

v2.23.0 | Report a Bug | By Email