IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt

Justin Richer <jricher@mitre.org> Fri, 30 November 2012 15:57 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC36321F85FA for <oauth@ietfa.amsl.com>; Fri, 30 Nov 2012 07:57:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.595
X-Spam-Level:
X-Spam-Status: No, score=-5.595 tagged_above=-999 required=5 tests=[AWL=-1.003, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_210=0.6, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9y-erAKA62h for <oauth@ietfa.amsl.com>; Fri, 30 Nov 2012 07:57:48 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4743321F841F for <oauth@ietf.org>; Fri, 30 Nov 2012 07:57:48 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 8ADD45310769; Fri, 30 Nov 2012 10:57:47 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 74CD25310752; Fri, 30 Nov 2012 10:57:47 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.318.4; Fri, 30 Nov 2012 10:57:46 -0500
Message-ID: <50B8D71E.3010908@mitre.org>
Date: Fri, 30 Nov 2012 10:56:14 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2
MIME-Version: 1.0
To: Eve Maler <eve@xmlgrrl.com>
References: <20121127184401.20364.27482.idtracker@ietfa.amsl.com> <B33BFB58CCC8BE4998958016839DE27E0684F375@IMCMBX01.MITRE.ORG> <947EEF6D-12E5-4D6E-A92E-16184AE7119B@xmlgrrl.com>
In-Reply-To: <947EEF6D-12E5-4D6E-A92E-16184AE7119B@xmlgrrl.com>
Content-Type: multipart/alternative; boundary="------------040708060906030407090107"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2012 15:57:49 -0000

Hi Eve,

Yes, you've got the right idea. In a lot of cases that we're dealing 
with, the relationship between the RS and AS is set up ahead of time. So 
the RS knows which AS to ask, and the AS knows how to deal with the 
different RS's it cares about. UMA gives you a nice dynamic way to 
introduce the two, but I think that the introduction should be a 
separate step from the query, since both parts are reusable independently.

Correct me if I'm wrong, but UMA also has the whole API for returning 
permissions associated with a token, beyond just the simple 
current-status message, right? Even so, I think it makes sense to decide 
on what the core set of info that would come back from such a token 
introspection would be, and what it means. Different types of tokens 
(Bearer, MAC, HOK) are going to have different types of metadata 
associated with them, probably, but there are a few core pieces 
(expiration, scopes) that would be common and useful.

  -- Justin

On 11/29/2012 05:59 PM, Eve Maler wrote:
> Hi Justin-- Glad to see this moving forward. This draft seems pretty 
> straightforward, and I imagine the UMA core spec 
> <http://docs.kantarainitiative.org/uma/draft-uma-core.html> could 
> probably incorporate a reference out to this rather than continuing to 
> use our custom-specified method for what we'd called "token status". I 
> wanted to highlight a couple of things we've defined beyond what you 
> have here, in case they're of interest to the wider community.
>
> This spec defines what I'd call "shallow AS/RS communication", in that 
> it assumes a trust relationship and context that's set up between them 
> completely out of band. UMA needed "deep AS/RS communication", which 
> allows for them to live in separate domains, potentially run by 
> disparate parties. (This is akin to the separation in OpenID Connect 
> of IdPs and third-party claim providers, and I've heard of a number of 
> use cases now for the same separation in plain OAuth.) Thus, we 
> defined a means by which the AS and RS could be introduced -- it's 
> actually just an embedded OAuth flow -- so that your mention of a 
> "separate OAuth2 Access Token" option in Section 2.1 is dictated in 
> UMA to be an OAuth token, with a particular scope covering the use of 
> the token introspection endpoint.
>
> The API exposed by the AS (in UMA, an "authorization manager" or AM) 
> that includes usage of the token introspection endpoint is called a 
> "protection API", and it includes registration of information about 
> protected resources so that the AS can manage the issuance of tokens 
> that it will later be asked to introspect.
>
> Finally, UMA has a simple extension point, called "UMA token profile", 
> defined in its (JSON-encoded) AM config data that allows the content 
> associated with the token to be standardized. Actually it dictates 
> more than the content; there are protocol aspects to it too, perhaps 
> akin to OAuth's token profiles.
>
> If there's interest in sedimenting some of these pieces into the OAuth 
> layer, we'd certainly be interested to carve out modules (where 
> possible) and submit them for consideration. Note that all of these 
> features are present in our 
> http://tools.ietf.org/html/draft-hardjono-oauth-umacore-05 submission.
>
> Thanks,
>
> Eve
>
> On 27 Nov 2012, at 10:46 AM, "Richer, Justin P." <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>> I took some time this morning to put together a draft of Token 
>> Introspection. This is largely based on how we implemented it here a 
>> few years ago, and I'm hoping that this and the Ping draft can help 
>> move the conversation about introspection forward.
>>
>>  -- Justin
>>
>> Begin forwarded message:
>>
>>> *From: *<internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>>> *Subject: **New Version Notification for 
>>> draft-richer-oauth-introspection-00.txt*
>>> *Date: *November 27, 2012 1:44:01 PM EST
>>> *To: *<jricher@mitre.org <mailto:jricher@mitre.org>>
>>>
>>>
>>> A new version of I-D, draft-richer-oauth-introspection-00.txt
>>> has been successfully submitted by Justin Richer and posted to the
>>> IETF repository.
>>>
>>> Filename:draft-richer-oauth-introspection
>>> Revision:00
>>> Title:OAuth Token Introspection
>>> Creation date:2012-11-27
>>> WG ID:Individual Submission
>>> Number of pages: 6
>>> URL: 
>>> http://www.ietf.org/internet-drafts/draft-richer-oauth-introspection-00.txt
>>> Status: http://datatracker.ietf.org/doc/draft-richer-oauth-introspection
>>> Htmlized: http://tools.ietf.org/html/draft-richer-oauth-introspection-00
>>>
>>>
>>> Abstract:
>>>   This specification defines a method for a client or protected
>>>   resource to query an OAuth authorization server to determine meta-
>>>   information about an OAuth token.
>>>
>>>
>>>
>>>
>>>
>>> The IETF Secretariat
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> Eve Maler http://www.xmlgrrl.com/blog
> +1 425 345 6756 http://www.twitter.com/xmlgrrl
>
>

v2.23.0 | Report a Bug | By Email