Re: [OAUTH-WG] Client cannot specify the token type it needs
George Fletcher <gffletch@aol.com> Wed, 23 January 2013 18:05 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71EAE21F872E for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 10:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.622
X-Spam-Level:
X-Spam-Status: No, score=0.622 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dxwyi6O2Oz-v for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 10:05:49 -0800 (PST)
Received: from imr-ma03.mx.aol.com (imr-ma03.mx.aol.com [64.12.206.41]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6D321F869B for <oauth@ietf.org>; Wed, 23 Jan 2013 10:05:49 -0800 (PST)
Received: from mtaout-da02.r1000.mx.aol.com (mtaout-da02.r1000.mx.aol.com [172.29.51.130]) by imr-ma03.mx.aol.com (Outbound Mail Relay) with ESMTP id 60DAE1C000128; Wed, 23 Jan 2013 13:05:48 -0500 (EST)
Received: from palantir.office.aol.com (palantir.office.aol.com [10.181.186.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 75258E000100; Wed, 23 Jan 2013 13:05:47 -0500 (EST)
Message-ID: <5100267C.1010400@aol.com>
Date: Wed, 23 Jan 2013 13:05:48 -0500
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
References: <1358744919.12881.YahooMailNeo@web31811.mail.mud.yahoo.com> <OFCCDF8F10.8CEE85DE-ON48257AFA.001CFDB1-48257AFA.001D2C4E@zte.com.cn> <CAJV9qO-D=9-Dbi8Rp8fdXYSYOMeNhfVbSmk2_u3z=Vy3tiyzLw@mail.gmail.com> <9034B9E7-B35F-4647-AF59-0DD222A3C60C@xmlgrrl.com>
In-Reply-To: <9034B9E7-B35F-4647-AF59-0DD222A3C60C@xmlgrrl.com>
Content-Type: multipart/alternative; boundary="------------040801020305020708010302"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/87573
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1358964348; bh=vnTKetfdjBJ+sK+qlicrZkTqG6MqOm6xw84X5i/uXYg=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=JJ1LrD/0tdVqG4vEFWBXgg4mzbNMiMKgRbXGHGnoso2IKsTOruumy1nZolHr6RN+b sbgbeDggiA9C6ILX00t8QODyKMzl41YFZgj0KSdI+U5tpQYOuBkGs1GnbGZbzo4N7d srGMJCaRhBz07MEMDgKHP8cSJjjaN4HD9XWBtY2A=
X-AOL-SCOLL-SCORE: 1:2:419734336:93952408
X-AOL-SCOLL-URL_COUNT: 1
x-aol-sid: 3039ac1d33825100267b7661
X-AOL-IP: 10.181.186.254
Subject: Re: [OAUTH-WG] Client cannot specify the token type it needs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2013 18:05:52 -0000
In addition, UMA also defines a was for the RS to instruct the client on
what to present to the AS in order to receive a token that will work at
the RS. At the moment this flow is UMA specific but could probably be
abstracted into a general pattern.
Also, there are really three parties that have to agree in order for the
client to get access to the protected resource.
a. the client -- it may only support bearer tokens and not holder-of-key
b. the RS -- it may only allow bearer tokens from trusted clients
c. the AS -- it may only issue bearer tokens
Developing generic negotiation amongst these parties may be overkill
since in most cases the client know what RS it will be talking to and
potentially even the authorizations server(s) as well. Given that some
pre-knowledge is probably in play, a simple solution may be to allow the
client to register via the dynamic registration proposal the token types
it supports and then the AS can use that data as a filtering mechanism
when the client asks for a token.
Thanks,
George
On 1/23/13 12:23 PM, Eve Maler wrote:
> FWIW, some of us have made a proposal for exactly this type of
> standardized AS/RS communication:
>
> http://tools.ietf.org/html/draft-hardjono-oauth-resource-reg-00
>
> The UMA profile refers normatively to this spec, and at that higher
> profile-specific level, it has an extensive set of AS configuration
> data that includes a way to declare token types supported. It could
> make sense for an RS to register its preferences for token types
> supported among those declared in the AS config data. Should this
> "preferred token type" semantic should be sedimented down to the
> "draft-hardjono-oauth-resource-reg" level?
>
> Eve
>
> On 20 Jan 2013, at 9:29 PM, Prabath Siriwardena <prabath@wso2.com
> <mailto:prabath@wso2.com>> wrote:
>
>> Think about a distributed setup. You have single Authorization Server
>> and multiple Resource Servers.
>>
>> Although OAuth nicely decouples AS from RS - AFAIK there is no
>> standard established for communication betweens AS and RS - how to
>> declare metadata between those.
>>
>> Also there can be Resource Servers which support multiple token
>> types. It could vary on APIs hosted in a given RS.
>>
>> Thanks & regards,
>> -Prabath
>>
>>
>> On Mon, Jan 21, 2013 at 10:48 AM, <zhou.sujing@zte.com.cn
>> <mailto:zhou.sujing@zte.com.cn>> wrote:
>>
>>
>> The token type shoulbe decided by resource server, which consumes
>> access token.
>> Client just re-tell the requested token type to AS.
>> Client should not specify the token type.
>>
>>
>> oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> ??
>> 2013-01-21 13:08:39:
>>
>>
>> > This is true. It's possible for the AS to vary it's behavior on
>> > scope name, but it's presumed the AS and RS have an agreement of
>> > what token type is in play. Likely a good extension to the spec.
>>
>> >
>> > From: Prabath Siriwardena <prabath@wso2.com
>> <mailto:prabath@wso2.com>>
>> > To: "oauth@ietf.org <mailto:oauth@ietf.org> WG" <oauth@ietf.org
>> <mailto:oauth@ietf.org>>
>> > Sent: Sunday, January 20, 2013 7:28 PM
>> > Subject: [OAUTH-WG] Client cannot specify the token type it needs
>>
>> >
>> > Although token type is extensible according to the OAuth core
>> > specification - it is fully governed by the Authorization Server.
>> >
>> > There can be a case where a single AS supports multiple token
>> types
>> > based on client request.
>> >
>> > But currently we don't have a way the client can specify (or at
>> > least suggest) which token type it needs in the OAuth access
>> token request ?
>> >
>> > Is this behavior intentional ? or am I missing something...
>> >
>> > Thanks & Regards,
>> > Prabath
>> >
>> > Mobile : +94 71 809 6732 <tel:%2B94%2071%20809%206732>
>> >
>> > http://blog.facilelogin.com <http://blog.facilelogin.com/>
>> > http://RampartFAQ.com <http://rampartfaq.com/>
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/oauth
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Mobile : +94 71 809 6732
>>
>> http://blog.facilelogin.com <http://blog.facilelogin.com/>
>> http://RampartFAQ.com <http://rampartfaq.com/>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> Eve Maler http://www.xmlgrrl.com/blog
> +1 425 345 6756 http://www.twitter.com/xmlgrrl
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
--
George Fletcher <http://connect.me/gffletch>
- [OAUTH-WG] Client cannot specify the token type i… Prabath Siriwardena
- Re: [OAUTH-WG] Client cannot specify the token ty… William Mills
- Re: [OAUTH-WG] Client cannot specify the token ty… zhou.sujing
- Re: [OAUTH-WG] Client cannot specify the token ty… Prabath Siriwardena
- Re: [OAUTH-WG] Client cannot specify the token ty… zhou.sujing
- Re: [OAUTH-WG] Client cannot specify the token ty… William Mills
- Re: [OAUTH-WG] Client cannot specify the token ty… zhou.sujing
- Re: [OAUTH-WG] Client cannot specify the token ty… Prabath Siriwardena
- Re: [OAUTH-WG] Client cannot specify the token ty… zhou.sujing
- Re: [OAUTH-WG] Client cannot specify the token ty… Prabath Siriwardena
- Re: [OAUTH-WG] Client cannot specify the token ty… Eve Maler
- Re: [OAUTH-WG] Client cannot specify the token ty… George Fletcher
- Re: [OAUTH-WG] Client cannot specify the token ty… Eve Maler