IETF Logo Mail Archive

Re: [OAUTH-WG] resource server id needed?

"William Mills" <wmills@yahoo-inc.com> Thu, 15 July 2010 06:15 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59EC83A6974 for <oauth@core3.amsl.com>; Wed, 14 Jul 2010 23:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.181
X-Spam-Level:
X-Spam-Status: No, score=-17.181 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q+BBJskRTLbv for <oauth@core3.amsl.com>; Wed, 14 Jul 2010 23:15:00 -0700 (PDT)
Received: from mrout2-b.corp.re1.yahoo.com (mrout2-b.corp.re1.yahoo.com [69.147.107.21]) by core3.amsl.com (Postfix) with ESMTP id CDE7A3A67AE for <oauth@ietf.org>; Wed, 14 Jul 2010 23:14:58 -0700 (PDT)
Received: from SNV-EXPF01.ds.corp.yahoo.com (snv-expf01.ds.corp.yahoo.com [207.126.227.250]) by mrout2-b.corp.re1.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o6F6B9Ir092529; Wed, 14 Jul 2010 23:11:09 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:x-mimeole:content-class:mime-version: content-type:content-transfer-encoding:subject:date:message-id: in-reply-to:x-ms-has-attach:x-ms-tnef-correlator:thread-topic: thread-index:references:from:to:cc:x-originalarrivaltime; b=IcQSg7qOEwCXwo/2dfl0m21+vMxV1s0VJQjbi13+YGOEW5K+lRXgQuHlgMMcdBit
Received: from SNV-EXVS08.ds.corp.yahoo.com ([207.126.227.8]) by SNV-EXPF01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 14 Jul 2010 23:11:09 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 14 Jul 2010 23:11:08 -0700
Message-ID: <012AB2B223CB3F4BB846962876F47217059B6CB3@SNV-EXVS08.ds.corp.yahoo.com>
In-Reply-To: <6345F9F9-2EDD-4199-9C90-339CB1757B0A@lodderstedt.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] resource server id needed?
Thread-Index: Acsj4dTykgDXgF9wSTCwBhsfrnndrwAApP6w
References: <4C3E389D.5080300@lodderstedt.net><AANLkTilbBWMoMj5DIJ7IMYzlBGgZHni7xCYHyAzz_XK4@mail.gmail.com><95C3FB14-F5C4-4ECB-91EF-9ED988C367DE@hueniverse.com> <6345F9F9-2EDD-4199-9C90-339CB1757B0A@lodderstedt.net>
From: William Mills <wmills@yahoo-inc.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Eran Hammer-Lahav <eran@hueniverse.com>
X-OriginalArrivalTime: 15 Jul 2010 06:11:09.0569 (UTC) FILETIME=[84ADCF10:01CB23E4]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] resource server id needed?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 06:15:06 -0000

No hang on.  A single auth server should be able to handle man resource
servers.

It only gets hairy I think if you want multiple auth servers. 

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] 
> On Behalf Of Torsten Lodderstedt
> Sent: Wednesday, July 14, 2010 10:50 PM
> To: Eran Hammer-Lahav
> Cc: OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] resource server id needed?
> 
> Did I get you right? Your answer is: Oauth is not suited for 
> deployments with different resource servers which rely in a 
> single authz server?
> 
> I don't know why you categorize this as  "complex". Is it so 
> unusual to have let's say mail, webstorage, telephony, and 
> payment services?
> 
> At Deutsche Telekom, we operate such a deployment (with much 
> more different resource servers) and I had hoped to move our 
> token service towards OAuth v2. 
> 
> So would you recommend me zo stick to our proprietary protocol?
> 
> regards,
> Torsten.
> 
> 
> 
> Am 15.07.2010 um 00:39 schrieb Eran Hammer-Lahav 
> <eran@hueniverse.com>:
> 
> > If your deployment is that complicated, even my discovery 
> proposal is not going to help you... 
> > 
> > EHL
> > 
> > 
> > 
> > On Jul 14, 2010, at 18:37, "Marius Scurtescu" 
> <mscurtescu@google.com> wrote:
> > 
> >> On Wed, Jul 14, 2010 at 3:22 PM, Torsten Lodderstedt 
> >> <torsten@lodderstedt.net> wrote:
> >>> I have a question concerning the OAuth philosophy: How 
> many resource 
> >>> servers may be managed by a single OAuth authorization 
> server? (a) A 
> >>> single resource server or (b) several of them exposing 
> different resource types?
> >>> 
> >>> If the answer is (b) then how is a particular resource server 
> >>> identified in the protocol? Clients have Ids, end-users 
> as well (at 
> >>> least in a future protocol extension), but what about 
> resource server Ids?
> >>> 
> >>> I think resource servers must be identifiable in multi-server 
> >>> deployments for several reasons:
> >>> - Interpretation of the scope parameter should be resource server 
> >>> specific - "read" may have different meanings in mail and address 
> >>> book
> >>> - An authorization server probably wants to apply server-specific 
> >>> security policy, e.g. different access token durations
> >>> - It will be possible to create special tokens per server
> >>> 
> >>> I think we should introduce a resource server id in the authz and 
> >>> access token request.
> >>> 
> >>> Any thoughts?
> >> 
> >> I think the scope fills this role. Scopes implemented as URIs, for 
> >> example, allow the authz server to map them to resource servers.
> >> 
> >> Marius
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.35.0 | Report a Bug | By Email | System Status