IETF Logo Mail Archive

Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token

John Bradley <ve7jtb@ve7jtb.com> Fri, 13 April 2012 19:56 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A903F11E80F1 for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 12:56:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q+sFd10zCazC for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 12:56:03 -0700 (PDT)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id E4C6B11E80EF for <oauth@ietf.org>; Fri, 13 Apr 2012 12:56:01 -0700 (PDT)
Received: by werb10 with SMTP id b10so2617308wer.31 for <oauth@ietf.org>; Fri, 13 Apr 2012 12:56:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=i1cum91kjrX8BZcHPIEDIu9xME+qKwNiRq64WV3TH9E=; b=YWLc16DgAzmvOo4VfNnGfvuK1q0Gs+5Qvf7ooqMNf5fv3PbjtiEV25DWcL+3Ypyh6B 6+Boj6ZKtLjIW4cqGu4OrBixGkNsBVAasPUTf3abW4eMc53YZqh932wj9kz2lTIGpt8Z Rm9KcFEirf2WvQ4NUUE+XYKyhCw/AFFlts+WvYlSuPo4RHpTnvMIOqSN1HT0N9yH/oW6 y+TyA+PlKSC23bLE6l+0ST6UCFYPrksG/pFjexlmZlMqNM6IUYcF5suWM1K25YErbzqR I/EDH18NHlp2Tir0quyHMuuShQ/ANy3/YTe4Ww3BgKsUe+eiWHN/FxUTxix1eNazJuVR xkaw==
Received: by 10.180.107.132 with SMTP id hc4mr6640109wib.21.1334346961012; Fri, 13 Apr 2012 12:56:01 -0700 (PDT)
Received: from [10.0.9.253] ([212.144.56.68]) by mx.google.com with ESMTPS id ea6sm7044398wib.5.2012.04.13.12.55.50 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 13 Apr 2012 12:55:58 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_A161D0BB-38FF-41F2-81E1-587D30425FCA"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A90741A7@BL2PRD0410MB363.namprd04.prod.outlook.com>
Date: Fri, 13 Apr 2012 21:55:40 +0200
Message-Id: <54CAB96A-859B-4CB1-92DB-45359C8DBABA@ve7jtb.com>
References: <59E470B10C4630419ED717AC79FCF9A906E74E@CH1PRD0410MB369.namprd04.prod.outlook.com> <4F885680.5090801@mitre.org> <59E470B10C4630419ED717AC79FCF9A90741A7@BL2PRD0410MB363.namprd04.prod.outlook.com>
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQnnBZvk0UDw54gid2nGUikLKqjJdLrELYwh8I4dW2Bei2Rl8x3UDayNnKe+I7kNpF9yUsPa
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2012 19:56:03 -0000

Inline.

On 2012-04-13, at 9:13 PM, Lewis Adam-CAL022 wrote:

> Hi Justin …
>  
> In your application, to start things off, you fire off a web browser to the authorization server's authorization endpoint. The user logs in to the authorization server through the web browser, approves this copy of your app, and gets redirected to "myapp://oauthcallback?code=basdf132". Your app grabs the "myapp://" url and plucks the authorization code off the end of it. Your app then takes that code and sends it in the background to the token endpoint to exchange for a token.
>  
> <acl> this is the part I’m missing.  I understand how to get the authorization code to the client …  I think what you’re saying is that when the client present the access code to the token endpoint, that the token endpoint can return either a SAML or JWT token? 

Yes this is returned as a bearer token in OAuth speak, but the contents can be JWT or SAML.

> Is the token endpoint typically part of the Authorization Server?  Is the type of token returned (SAML/JWT/etc) depending on the implementation and what is supported by different vendors and open source, or is this required by the standard?

The Token endpoint is part of the Authorization server.

The format of the authorization and refresh tokens are not defined in the OAuth 2.0 spec, other than to treat them as opaque to the client.

>   OAuth 2.0 doesn’t really say a whole lot about the actual access token.  Is this all considered out of band from OAuth and a matter of implementation?

Yes,  some implementations send SAML tokens to the resource server, some JWT, and probably most send a proprietary or opaque token to the resource server which then calls back to a STS like service to introspect the token.

I know Justin has introspection endpoint as part of the MITRE openID connect implementation.   Ping also uses a similar one by default but can also use structured tokens.

>   Btw … I currently have two OAuth implementations running in the lab … an evaluation copy of PingFederate and an open source stack (OpenAM). </acl>

I am with one of the ForgeRock people tomorrow so I will check on what they are using for access tokens.

Both implementations will probably work for what you are trying to do.  I can't speculate on which is best for you at this point.


Regards
John B.

> 
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email