Re: [OAUTH-WG] Partially standardized format for access tokens?
George Fletcher <gffletch@aol.com> Tue, 08 June 2010 14:17 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D70528C1F0 for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 07:17:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7DjyECe-jIL for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 07:17:55 -0700 (PDT)
Received: from imr-db03.mx.aol.com (imr-db03.mx.aol.com [205.188.91.97]) by core3.amsl.com (Postfix) with ESMTP id EC4EF28C1D1 for <oauth@ietf.org>; Tue, 8 Jun 2010 07:17:43 -0700 (PDT)
Received: from mtaout-ma03.r1000.mx.aol.com (mtaout-ma03.r1000.mx.aol.com [172.29.41.3]) by imr-db03.mx.aol.com (8.14.1/8.14.1) with ESMTP id o58EHGNP016601; Tue, 8 Jun 2010 10:17:16 -0400
Received: from palantir.local (unknown [10.181.183.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 8E7ECE000083; Tue, 8 Jun 2010 10:17:11 -0400 (EDT)
Message-ID: <4C0E50E7.5040909@aol.com>
Date: Tue, 08 Jun 2010 10:17:11 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Luke Shepard <lshepard@facebook.com>
References: <AANLkTinQTV9JJPiftquRbvdqAOHxUXk7QQKCMrmQ4LLK@mail.gmail.com> <B549E6C4-A24D-4032-8A26-89ED58EBAA34@facebook.com> <4C090B6C.9030707@aol.com> <B6D1E6FF-D65F-4FD6-B148-C17550421FC9@facebook.com> <AANLkTilj0xG6SjHrzkd9Ca-N67J7IlsTNAOkyFdjQ62I@mail.gmail.com> <ED86A2AA-56D5-4DC6-B896-48A850EED3B2@facebook.com> <4C0930B2.80802@aol.com> <AANLkTimupEDpBUjg4iwwhPQ41ZKcryMcpVjJumXNIjP0@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11263E5DA7C@WSMSG3153V.srv.dir.telstra.com> <383A9188-1AA6-49FE-95FC-5D6316BD18CD@jkemp.net> <255B9BB34FB7D647A506DC292726F6E11263EBF638@WSMSG3153V.srv.dir.telstra.com> <50227268-61DB-401E-A2AA-F8A984C1B6B3@jkemp.net> <6E69B6CE-FACA-4428-B6BA-48CF5B1E15C9@facebook.com>
In-Reply-To: <6E69B6CE-FACA-4428-B6BA-48CF5B1E15C9@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:313055360:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d29034c0e50e7062c
X-AOL-IP: 10.181.183.108
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Partially standardized format for access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 14:17:56 -0000
On 6/8/10 9:58 AM, Luke Shepard wrote: > Again: can you provide a specific, real-world example where this is > necessary? I'd rather not deal in hypotheticals. I've already answered > the case of a hypothetical endpoint that accepts both SAML and > JSON-encoded tokens. I believe one such case is person-to-person sharing where person A is NOT part of the same network as person B. If I have a protected resource at photos.example.com and I want to share with someone who is NOT a member of photos.example.com there are only a couple of options... 1. Today's method: security by obscurity with "non-guessable" URLs emailed to person B 2. Use OpenID and force Person B to "sign in" to photos.example.com (effectively establishing a relationship with photos.example.com that they might not want) 3. Have photos.example.com be able to accept a token from person B's authorization service saying this is person B when accessing the protected resource. Option 3 is a much better experience for the user and simpler to implement for any client that person B is using. However, this requires that photos.example.com be able to read and understand the token from person B's authorization server (AS). Hence we need some way to associate origin and format with the token. Personally, I think that using XRD the origin server could expose a "dumb mode" token validator such that resource owners that don't now how to process the token natively could still validate the token and get some minimal information. Thanks, George Some additional thoughts and links: http://practicalid.blogspot.com/2010/05/identity-as-attribute.html
- [OAUTH-WG] Partially standardized format for acce… Andrew Arnott
- Re: [OAUTH-WG] Partially standardized format for … Luke Shepard
- Re: [OAUTH-WG] Partially standardized format for … Torsten Lodderstedt
- Re: [OAUTH-WG] Partially standardized format for … George Fletcher
- Re: [OAUTH-WG] Partially standardized format for … George Fletcher
- Re: [OAUTH-WG] Partially standardized format for … Eve Maler
- Re: [OAUTH-WG] Partially standardized format for … Luke Shepard
- Re: [OAUTH-WG] Partially standardized format for … John Kemp
- Re: [OAUTH-WG] Partially standardized format for … Justin Richer
- Re: [OAUTH-WG] Partially standardized format for … Dick Hardt
- Re: [OAUTH-WG] Partially standardized format for … Dick Hardt
- Re: [OAUTH-WG] Partially standardized format for … Peter Saint-Andre
- Re: [OAUTH-WG] Partially standardized format for … Torsten Lodderstedt
- Re: [OAUTH-WG] Partially standardized format for … Dick Hardt
- Re: [OAUTH-WG] Partially standardized format for … Luke Shepard
- Re: [OAUTH-WG] Partially standardized format for … George Fletcher
- Re: [OAUTH-WG] Partially standardized format for … David Recordon
- Re: [OAUTH-WG] Partially standardized format for … John Kemp
- Re: [OAUTH-WG] Partially standardized format for … Torsten Lodderstedt
- Re: [OAUTH-WG] Partially standardized format for … Dick Hardt
- Re: [OAUTH-WG] Partially standardized format for … Dick Hardt
- Re: [OAUTH-WG] Partially standardized format for … Justin Richer
- Re: [OAUTH-WG] Partially standardized format for … John Kemp
- Re: [OAUTH-WG] Partially standardized format for … Luke Shepard
- Re: [OAUTH-WG] Partially standardized format for … Dick Hardt
- Re: [OAUTH-WG] Partially standardized format for … Manger, James H
- Re: [OAUTH-WG] Partially standardized format for … Andrew Arnott
- Re: [OAUTH-WG] Partially standardized format for … John Kemp
- Re: [OAUTH-WG] Partially standardized format for … Manger, James H
- Re: [OAUTH-WG] Partially standardized format for … Nat Sakimura
- Re: [OAUTH-WG] Partially standardized format for … Nat Sakimura
- Re: [OAUTH-WG] Partially standardized format for … John Kemp
- Re: [OAUTH-WG] Partially standardized format for … Luke Shepard
- Re: [OAUTH-WG] Partially standardized format for … George Fletcher
- Re: [OAUTH-WG] Partially standardized format for … Brian Eaton
- Re: [OAUTH-WG] Partially standardized format for … Brian Eaton
- Re: [OAUTH-WG] Partially standardized format for … George Fletcher