IETF Logo Mail Archive

Re: [OAUTH-WG] Partially standardized format for access tokens?

George Fletcher <gffletch@aol.com> Tue, 08 June 2010 14:17 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D70528C1F0 for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 07:17:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7DjyECe-jIL for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 07:17:55 -0700 (PDT)
Received: from imr-db03.mx.aol.com (imr-db03.mx.aol.com [205.188.91.97]) by core3.amsl.com (Postfix) with ESMTP id EC4EF28C1D1 for <oauth@ietf.org>; Tue, 8 Jun 2010 07:17:43 -0700 (PDT)
Received: from mtaout-ma03.r1000.mx.aol.com (mtaout-ma03.r1000.mx.aol.com [172.29.41.3]) by imr-db03.mx.aol.com (8.14.1/8.14.1) with ESMTP id o58EHGNP016601; Tue, 8 Jun 2010 10:17:16 -0400
Received: from palantir.local (unknown [10.181.183.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 8E7ECE000083; Tue, 8 Jun 2010 10:17:11 -0400 (EDT)
Message-ID: <4C0E50E7.5040909@aol.com>
Date: Tue, 08 Jun 2010 10:17:11 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Luke Shepard <lshepard@facebook.com>
References: <AANLkTinQTV9JJPiftquRbvdqAOHxUXk7QQKCMrmQ4LLK@mail.gmail.com> <B549E6C4-A24D-4032-8A26-89ED58EBAA34@facebook.com> <4C090B6C.9030707@aol.com> <B6D1E6FF-D65F-4FD6-B148-C17550421FC9@facebook.com> <AANLkTilj0xG6SjHrzkd9Ca-N67J7IlsTNAOkyFdjQ62I@mail.gmail.com> <ED86A2AA-56D5-4DC6-B896-48A850EED3B2@facebook.com> <4C0930B2.80802@aol.com> <AANLkTimupEDpBUjg4iwwhPQ41ZKcryMcpVjJumXNIjP0@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11263E5DA7C@WSMSG3153V.srv.dir.telstra.com> <383A9188-1AA6-49FE-95FC-5D6316BD18CD@jkemp.net> <255B9BB34FB7D647A506DC292726F6E11263EBF638@WSMSG3153V.srv.dir.telstra.com> <50227268-61DB-401E-A2AA-F8A984C1B6B3@jkemp.net> <6E69B6CE-FACA-4428-B6BA-48CF5B1E15C9@facebook.com>
In-Reply-To: <6E69B6CE-FACA-4428-B6BA-48CF5B1E15C9@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:313055360:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d29034c0e50e7062c
X-AOL-IP: 10.181.183.108
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Partially standardized format for access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 14:17:56 -0000

On 6/8/10 9:58 AM, Luke Shepard wrote:
> Again: can you provide a specific, real-world example where this is 
> necessary? I'd rather not deal in hypotheticals. I've already answered 
> the case of a hypothetical endpoint that accepts both SAML and 
> JSON-encoded tokens.
I believe one such case is person-to-person sharing where person A is 
NOT part of the same network as person B.

If I have a protected resource at photos.example.com and I want to share 
with someone who is NOT a member of photos.example.com there are only a 
couple of options...

1. Today's method: security by obscurity with "non-guessable" URLs 
emailed to person B

2. Use OpenID and force Person B to "sign in" to photos.example.com 
(effectively establishing a relationship with photos.example.com that 
they might not want)

3. Have photos.example.com be able to accept a token from person B's 
authorization service saying this is person B when accessing the 
protected resource.

Option 3 is a much better experience for the user and simpler to 
implement for any client that person B is using. However, this requires 
that photos.example.com be able to read and understand the token from 
person B's authorization server (AS). Hence we need some way to 
associate origin and format with the token.

Personally, I think that using XRD the origin server could expose a 
"dumb mode" token validator such that resource owners that don't now how 
to process the token natively could still validate the token and get 
some minimal information.

Thanks,
George

Some additional thoughts and links: 
http://practicalid.blogspot.com/2010/05/identity-as-attribute.html

v2.23.0 | Report a Bug | By Email