Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
Thomas Broyer <t.broyer@gmail.com> Tue, 29 July 2014 21:31 UTC
Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25EB81A0171 for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 14:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UcdNd9O04RoY for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 14:31:44 -0700 (PDT)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAFFD1A010C for <oauth@ietf.org>; Tue, 29 Jul 2014 14:31:43 -0700 (PDT)
Received: by mail-lb0-f171.google.com with SMTP id l4so209622lbv.30 for <oauth@ietf.org>; Tue, 29 Jul 2014 14:31:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=OC4xtV3VSlnL+Suz/yu5/y0//hnnh/GbfuT0CvEow5Y=; b=w4ceBgfBjQ02JJ0XJbi1dvdRql3l9gauxpK1LJFxK23HrZIiCEei//aoZ3cav1L8sH ZupRxI45315b//t/LF71od2/FVepVXqJZ7mexSWrGNInDlKCH1xj+91TxoZyHrL0Frxw fVqdfVE79+FRUe4j6pVmGuZ8RQZyv0e6Da7c6iXVYd2tZtEnF5K6gRsvLwNvKLhN2Rlb 2on0cb24I4yYghpp5U9/IrZ1V5FdK6oUJJTb3Xnb/gVhuKDNCuNTGWr43pqzYOMF9uO0 LQBkJrME3M/0xftAjXC+4pL/6bIspdFW1DF9a3C2C5KDIXrUdhbyHrTEWr5ybfHDxnL0 pHXA==
X-Received: by 10.152.27.197 with SMTP id v5mr5285479lag.84.1406669501897; Tue, 29 Jul 2014 14:31:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.113.73 with HTTP; Tue, 29 Jul 2014 14:31:21 -0700 (PDT)
In-Reply-To: <620AF4CA-B7F7-487E-A833-3483D2B41B26@oracle.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D6ED5A.10500@mit.edu> <33F1EE39-2BDF-4F3D-B4DD-4AB9848BC4BF@oracle.com> <F9F7D2A9-6E70-47BA-9AF6-8EB799EB28F7@gmail.com> <1406657488.80350.YahooMailNeo@web142801.mail.bf1.yahoo.com> <53D7E430.2070400@mitre.org> <620AF4CA-B7F7-487E-A833-3483D2B41B26@oracle.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Tue, 29 Jul 2014 23:31:21 +0200
Message-ID: <CAEayHEOi4DyqRgyVMZqHcwZD+=MJpaV0qhzNRBD-gVcAYRfYqA@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="089e0160acaefa211404ff5bc3cb"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/rp_0LQTNpHxKJHfxushejrWwXPE
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 21:31:46 -0000
On Tue, Jul 29, 2014 at 10:41 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > Making everything optional achieves no benefits, you just end up with a > complex set of options and no inter op. > > We had the same issue with dyn reg. > > I prefer to first get agreement on use case. > > What are the questions a caller can ask and what form of responses are > available. > > Should this be limited to authz info or is this a back door for user data > and wbfinger data? > > I would prefer to have agreement on use cases before picking a solution > right now. > The use-case (in our case) is driving authorization at an RS from a different vendor than the AS (we have a single AS, and everyone is free to register a RS in the AS catalog), as explained by Justin 3 hours ago. If the response is {"active":false}, the RS is supposed to reply with a 401 and invalid_token. This could happen if the token is invalid/unknown to the AS, expired, or does not grant any scope registered by the calling RS (identified by HTTP Basic auth –Client Authentication– at the endpoint). Our "active":true responses include the "scope" claim filtered to only include the scopes registered by the calling RS, so it can possibly return a 403 with insufficient_scope. They also include the "sub" claim and a custom "sub_groups" claim so the RS can drive authorization depending on the user. Our "sub_groups" claim includes identifiers for groups the user is a member of (so that you could control access by groups rather than only a list of users). Finally, we also send the "client_id" claim so the RS could identify who uses its data, and possibly charge them accordingly (or refuse them access if they need prior, out-of-band, approval, or they've been blacklisted, etc.), and the "iat" and "exp" claims so they could possibly refuse access if the token is not recent enough or will expire too soon. In due course, we'll probably add "amr" and/or "acr" claims (or similar) because some processes (in France for example) require the use of client certificates, etc. -- Thomas Broyer /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
- [OAUTH-WG] Confirmation: Call for Adoption of "OA… Hannes Tschofenig
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mark Dobrinic
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Paul Madsen
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Bill Mills
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Mike Jones
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Justin Richer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Phil Hunt
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Eve Maler
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Tirumaleswar Reddy (tireddy)
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Thomas Broyer
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Sergey Beryozkin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… George Fletcher
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Anthony Nadalin
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… John Bradley
- Re: [OAUTH-WG] Confirmation: Call for Adoption of… Brian Campbell