Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Wed, 08 September 2010 17:38 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B09243A68FB for <oauth@core3.amsl.com>; Wed, 8 Sep 2010 10:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.484
X-Spam-Level:
X-Spam-Status: No, score=-2.484 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Cua0W5g4v+h for <oauth@core3.amsl.com>; Wed, 8 Sep 2010 10:38:19 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by core3.amsl.com (Postfix) with ESMTP id 14E303A6836 for <oauth@ietf.org>; Wed, 8 Sep 2010 10:38:09 -0700 (PDT)
Received: from umail.lucent.com (h135-3-40-63.lucent.com [135.3.40.63]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id o88Hbwgh009922 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 8 Sep 2010 12:37:58 -0500 (CDT)
Received: from [135.244.36.176] (faynberg.lra.lucent.com [135.244.36.176]) by umail.lucent.com (8.13.8/TPES) with ESMTP id o88HbtPI004242; Wed, 8 Sep 2010 12:37:55 -0500 (CDT)
Message-ID: <4C87C9F6.70106@alcatel-lucent.com>
Date: Wed, 08 Sep 2010 13:37:58 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
References: <DADD7EAD88AB484D8CCC328D40214CCD01C253AA42@EXPO10.exchange.mit.edu> <4C86A248.20501@alcatel-lucent.com> <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
In-Reply-To: <5710F82C0E73B04FA559560098BF95B124FB2333D2@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: Thomas Hardjono <hardjono@MIT.EDU>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 17:39:06 -0000
So, maybe you and Thomas can generalize that use case to rely on either mechanism? Igor Zeltsan, Zachary (Zachary) wrote: > Igor, > > The intention of the draft draft-vrancken-oauth-redelegation was to specify a mechanism for doing exactly what Thomas has described: > >> ... User#1/Client#1 asks for >> an access token (to a given resource) with the >> intention of later handing over the access-token to >> a different User#2/Client#2 >> > The mechanism is design to support also the situation where > >> User#2/Client#2 asks the Auth Server to "swap" (re-issue) >> this token for a different client_id (User#3/Client#3) >> > > The difference is that the mechanism of the draft-vrancken-oauth-redelegation relies on the "temporary credentials" and "token credentials", which were used in OAuth 1.0, and not on the access tokens. > > Zachary > -----Original Message----- > From: Igor Faynberg [mailto:igor.faynberg@alcatel-lucent.com] > Sent: Tuesday, September 07, 2010 4:36 PM > To: Thomas Hardjono; Zeltsan, Zachary (Zachary) > Cc: Brian Campbell; oauth > Subject: Re: [OAUTH-WG] Delegation -- RE: SAML profile comments/questions from the SAML people > > Thomas, > > It looks to me like the intention in this use case is similar to that of > the "multilegged OAuth" (later renamed to the politically-correct > "recursive delegation"). This use case has been published in Bart's and > Zachary's draft. which has expired now. This case has moved into the > overall use case compilation document. > > Zachary, maybe you could shed some light here? > > Igor > > Thomas Hardjono wrote: > >> __________________________________________ >> >> >> >>> -... >>> >> What I meant to say is that User#1/Client#1 asks for >> an access token (to a given resource) with the >> intention of later handing over the access-token to >> a different User#2/Client#2. >> >> Ideally, this model could be extensible where >> User#2/Client#2 asks the Auth Server to "swap" (re-issue) >> this token for a different client_id (User#3/Client#3). >> >> However, this bring us into space of role based access >> control and permissions, which would somewhat complicate >> the Oauth 2.0 authorization model :) >> >> /thomas/ >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >>
- [OAUTH-WG] Delegation -- RE: SAML profile comment… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Justin Richer
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Igor Faynberg
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Delegation -- RE: SAML profile com… Thomas Hardjono