IETF Logo Mail Archive

Re: [OAUTH-WG] JWT binding for OAuth 2.0

Prabath Siriwardena <prabath@wso2.com> Wed, 15 April 2015 11:30 UTC

Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0CB1A8779 for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2015 04:30:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpQiIXkV2Ctg for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2015 04:30:13 -0700 (PDT)
Received: from mail-vn0-x231.google.com (mail-vn0-x231.google.com [IPv6:2607:f8b0:400c:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 876F91A876D for <oauth@ietf.org>; Wed, 15 Apr 2015 04:30:13 -0700 (PDT)
Received: by vnbg1 with SMTP id g1so13780307vnb.2 for <oauth@ietf.org>; Wed, 15 Apr 2015 04:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pGKumX2ehPmflY37FtRhDPdA38xb6eOHtRQ0HWkl8G0=; b=hZSPRjGF//q5R0qCeJv7XMUhOfWaty08d2FEG3z84aOuABFdE/3ll9e66KqQTUCFQG YRkgqExUdeOuhsHcZKhKlWzRbOJNM2iTpFF0v2dDDOP6B84TOvACZ+P2/kAaOuPDEn1U IqFH5SyGXpB1QHvB5/w19ccgsKOeqVqUjWH94=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pGKumX2ehPmflY37FtRhDPdA38xb6eOHtRQ0HWkl8G0=; b=R5J0USDUGxNowv54SnTMOiVhOLMh1HOT0DFQQC8r8Lk4Rlg9mHAz4l/GYqCHYRGyIu YsTul5TB1qAJh7plAm9P5Y0mcgcZHFPdrcQr1AGmBWXhgpEOvg8/lSSzLyQ+Od8Y6Ikv lkMBPsQruJyZLWWuWOtECwg/vwDR+UDLYB2qvLgf3ElJdyCdwLhS9mJPXwpUx5XmY52B 9PjNBHG3Z5vibF10i/sI8HmLtgcFM1bGCxWdTFjsgQIq3ZRBggOjAcQ8GLB9JXE8fQQX kafvwt6paPA+V81rr+7L5jc12MQu4XQ1l7q4jP+j0srPCZpH+1iqGJ/nbdYfm8M1ZA5z 2ACg==
X-Gm-Message-State: ALoCoQnZIkKI9bnhnrZYfoGbRBcwQZzx9olx+fLyIuNx9SF1K1RmsCvDhk118FkHEyCXphYoGziV
MIME-Version: 1.0
X-Received: by 10.60.63.141 with SMTP id g13mr20219647oes.3.1429097412322; Wed, 15 Apr 2015 04:30:12 -0700 (PDT)
Received: by 10.202.72.198 with HTTP; Wed, 15 Apr 2015 04:30:11 -0700 (PDT)
In-Reply-To: <552E1E60.8010602@gmx.net>
References: <CAJV9qO-PsiNOdfBAf9k0VJ7+eGkE_g_gbygdCbGMv2UT56Ld=g@mail.gmail.com> <A0FFB94C-1EDB-41B9-B1E2-6943B078145F@ve7jtb.com> <CAJV9qO8KJk07Hs7X0tE2UKxeQNA3XaQO2uOF5xfVz0eDd8RgrA@mail.gmail.com> <422C5670-7D2D-4E1C-9E06-74CCB9054260@ve7jtb.com> <CAJV9qO-u8dRB9Rs5Le2GyiVa+eS7U_3_mAAn=5qZz7HQLL=qdw@mail.gmail.com> <552E1E60.8010602@gmx.net>
Date: Wed, 15 Apr 2015 04:30:11 -0700
Message-ID: <CAJV9qO9r+xzfVqTsbmGmuhVLg9fsy0trRiaYjPLnOa3JJJQbDw@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a11c1db349c7d6b0513c1ab5a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/tdSBMuhm2vCTQF0wIi3wxHOV_HA>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 11:30:16 -0000

Hi Hannes,

I still think its equally important to have a transport independent binding
..

If you look at the SOAP world, WS-Security is self-contained in the message
itself.. and SAML SOAP binding is also another example...

Thanks & regards,
-Prabath


On Wed, Apr 15, 2015 at 1:16 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi Prabath,
>
> the reason we have documents that describe the transport of bearer
> tokens/proof-of-possession tokens over the different transports is a
> task is more than just conveying a JWT over some protocol.
>
> There are various documents that specify the transport of OAuth access
> tokens over some protocol:
>
> * Bearer Tokens over HTTPS:
> https://tools.ietf.org/html/rfc6750
>
> * Proof-of-Possession Tokens over TURN
> http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13
>
> * Bearer Tokens over SASL:
> https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19
>
> * Bearer Tokens over CoAP:
> https://tools.ietf.org/html/draft-tschofenig-ace-oauth-bt-01
>
> * OAuth over SIP:
> https://tools.ietf.org/html/draft-yusef-sipcore-sip-oauth-02
>
> * Then, there is all the work on proof-of-possession tokens that
> requires thoughts on how to tie the access token to the request (see
> http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01 or
> token binding at
> https://tools.ietf.org/html/draft-ietf-tokbind-protocol-00)
>
> If you look at these documents then you will see that the
> characteristics of the underlying protocol matter a lot from a security
> point of view. There are also encoding and discovery related aspects
> that need to be taken into account as well.
>
> If someone wants to figure out how to carry OAuth access tokens over
> MQTT then they will have to figure out whether there are some additional
> considerations to take into account.
>
> What we should probably doing in this group is to write a guidance
> document for using OAuth over <<foo>>.
>
> Ciao
> Hannes
>
> On 04/15/2015 12:02 AM, Prabath Siriwardena wrote:
> > It can be a JSON payload over JMS or even MQTT..
> >
> > I have seen some effort to create an MQTT binding for OAuth 2.0 - but
> > then again for each transport we need to have a binding..
> >
> > But - creating a message level binding would be much better IMHO..
> >
> > Thanks & regards,
> > -Prabath
> >
> > On Tue, Apr 14, 2015 at 2:55 PM, John Bradley <ve7jtb@ve7jtb.com
> > <mailto:ve7jtb@ve7jtb.com>> wrote:
> >
> >     Most of the pub sub things I have seen use HTTP transport.  Do you
> >     have a pointer to the protocol?
> >
> >>     On Apr 14, 2015, at 6:48 PM, Prabath Siriwardena <prabath@wso2.com
> >>     <mailto:prabath@wso2.com>> wrote:
> >>
> >>     Thanks John for the pointer - will have look..
> >>
> >>     I am looking this for a pub/sub scenario..  Having JWT binding
> >>     would benefit that..
> >>
> >>     Also - why I want access token to be inside a JWT is - when we
> >>     send a JSON payload in this case, we already have the JWT envelope
> >>     and the access token needs to be carried inside..
> >>
> >>     Thanks & regards,
> >>     -Prabath
> >>
> >>
> >>
> >>
> >>
> >>     On Tue, Apr 14, 2015 at 2:41 PM, John Bradley <ve7jtb@ve7jtb.com
> >>     <mailto:ve7jtb@ve7jtb.com>> wrote:
> >>
> >>         There is a OAuth binding to
> >>         SASL
> https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19
> >>
> >>         Google supports it for IMAP/SMTP,  I think the latest iOS and
> >>         OSX mail client updates use it rather than passwords for Google.
> >>         I also noticed Outlook on Android using it.
> >>
> >>         The access token might be a signed or encrypted JWT itself.  I
> >>         don’t know that wrapping it again necessarily helps.
> >>
> >>         Yes we should have bindings to other non http protocols.
> >>
> >>         Is there something specific that you are looking for that is
> >>         not covered by SASL?
> >>
> >>         John B.
> >>
> >>
> >>
> >>>         On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena
> >>>         <prabath@wso2.com <mailto:prabath@wso2.com>> wrote:
> >>>
> >>>         At the moment we only HTTP binding to transport the access
> >>>         token (please correct me if not)..
> >>>
> >>>         This creates a dependency on the transport.
> >>>
> >>>         How about creating a JWT binding for OAuth 2.0..? We can
> >>>         transport the access token as an encrypted JWT header
> >>>         parameter..?
> >>>
> >>>
> >>>         Thanks & Regards,
> >>>         Prabath
> >>>
> >>>         Twitter : @prabath
> >>>         LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> >>>
> >>>         Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950>
> >>>
> >>>         http://blog.facilelogin.com <http://blog.facilelogin.com/>
> >>>         http://blog.api-security.org <http://blog.api-security.org/>
> >>>         _______________________________________________
> >>>         OAuth mailing list
> >>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>>         https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >>
> >>
> >>     --
> >>     Thanks & Regards,
> >>     Prabath
> >>
> >>     Twitter : @prabath
> >>     LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> >>
> >>     Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950>
> >>
> >>     http://blog.facilelogin.com <http://blog.facilelogin.com/>
> >>     http://blog.api-security.org <http://blog.api-security.org/>
> >
> >
> >
> >
> > --
> > Thanks & Regards,
> > Prabath
> >
> > Twitter : @prabath
> > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> >
> > Mobile : +1 650 625 7950
> >
> > http://blog.facilelogin.com
> > http://blog.api-security.org
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>
>


-- 
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +1 650 625 7950

http://blog.facilelogin.com
http://blog.api-security.org

v2.23.0 | Report a Bug | By Email