Re: [OAUTH-WG] Concerning OAuth introspection
Justin Richer <jricher@mitre.org> Tue, 22 January 2013 19:00 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3CE21F8A3E for <oauth@ietfa.amsl.com>; Tue, 22 Jan 2013 11:00:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJ9TMnM+1wKv for <oauth@ietfa.amsl.com>; Tue, 22 Jan 2013 11:00:36 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0979921F8A3D for <oauth@ietf.org>; Tue, 22 Jan 2013 11:00:36 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 610E153106F3; Tue, 22 Jan 2013 14:00:35 -0500 (EST)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 4027953106E0; Tue, 22 Jan 2013 14:00:35 -0500 (EST)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.318.4; Tue, 22 Jan 2013 14:00:34 -0500
Message-ID: <50FEE1BF.5050200@mitre.org>
Date: Tue, 22 Jan 2013 14:00:15 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Shiu Fun Poon <shiufunpoon@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <CAHA4TYtCG+o0AZzh9e-3nb6gKLaWFeJuQfBxHVmUDH5Aj+TdpQ@mail.gmail.com>
In-Reply-To: <CAHA4TYtCG+o0AZzh9e-3nb6gKLaWFeJuQfBxHVmUDH5Aj+TdpQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020408060301040407090605"
X-Originating-IP: [129.83.31.58]
Subject: Re: [OAUTH-WG] Concerning OAuth introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2013 19:00:37 -0000
(CC'ing the working group) I'm not sure what the "action/operation" flag would accomplish. The idea behind having different endpoints in OAuth is that they each do different kinds of things. The only "action/operation" that I had envisioned for the introspection endpoint is introspection itself: "I have a token, what does it mean?" Note that client_id and client_secret *can* already be used at this endpoint if the server supports that as part of their client credentials setup. The examples use HTTP Basic with client id and secret right now. Basically, the client can authenticate however it wants, including any of the methods that OAuth2 allows on the token endpoint. It could also authenticate with an access token. At least, that's the intent of the introspection draft -- if that's unclear, I'd be happy to accept suggested changes to clarify this text. -- Justin On 01/22/2013 01:00 PM, Shiu Fun Poon wrote: > Justin, > > This spec is looking good.. > > One thing I would like to recommend is to add "action"/"operation" to > the request. (and potentially add client_id and client_secret) > > So the request will be like : > token REQUIRED > operation (wording to be determine) OPTIONAL inquire (default) | > revoke ... > resource_id OPTIONAL > client_id OPTIONAL > client_secret OPTIONAL > > And for the OAuth client information, it should be an optional > parameter (in case it is a public client or client is authenticated > with SSL mutual authentication). > > Please consider. > > ShiuFun
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Nat Sakimura
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Todd W Lainhart
- Re: [OAUTH-WG] Concerning OAuth introspection Phil Hunt
- Re: [OAUTH-WG] Concerning OAuth introspection Eve Maler
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Brian Campbell
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection John Bradley
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Anthony Nadalin
- Re: [OAUTH-WG] Concerning OAuth introspection Mike Jones
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection Justin Richer
- Re: [OAUTH-WG] Concerning OAuth introspection Sergey Beryozkin
- Re: [OAUTH-WG] Concerning OAuth introspection John Bradley
- Re: [OAUTH-WG] Concerning OAuth introspection Phil Hunt