Re: [OAUTH-WG] OAuth Digest, Vol 74, Issue 31
Brian Thaga <thagabrian@gmail.com> Sat, 06 December 2014 12:43 UTC
Return-Path: <thagabrian@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D8F1A9038 for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 04:43:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.299
X-Spam-Level:
X-Spam-Status: No, score=-0.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_41=0.6, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001, URI_NOVOWEL=0.5] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wF_0WKAD_1IM for <oauth@ietfa.amsl.com>; Sat, 6 Dec 2014 04:43:15 -0800 (PST)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59D021A8A0E for <oauth@ietf.org>; Sat, 6 Dec 2014 04:43:15 -0800 (PST)
Received: by mail-ig0-f174.google.com with SMTP id hn15so648021igb.7 for <oauth@ietf.org>; Sat, 06 Dec 2014 04:43:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=p80DTHdArAcpj9+6pFjF3+zdqL/ilPi4Y8dvdjA59Ww=; b=UmrE1q81kOvc5rW6vJzVxISs/9N+Pz02xy8jxaVjpvMSJkUBm9Uiy4Z1LbLQ4mWMCc 7SMGgsS7P53MI+5MjRib/pzAwRCYFV0un9BxK4NZVor7pqObCeqFXqvJ+vJuXSJzJgbX 0bcd5zkAyZuC93NWKqnncTxDEV1gtiHTavSqxHstgJIJpnXVuHVGqtNyP5RsGuRbebRo ptyQDRD5mIn4XjuF0ZDtuZ7IBCMtrEG7VulIL4LM8yfyStNtLb5OKprUJPrBnMl5hND9 k31pJHmHomhq+ni3Tc6Ii8Y7Dt7rqQFubck1WmBCF1jbutY636zfRjUJSCznOkRTzfgn KhUw==
MIME-Version: 1.0
X-Received: by 10.50.114.97 with SMTP id jf1mr6858590igb.29.1417869794195; Sat, 06 Dec 2014 04:43:14 -0800 (PST)
Received: by 10.107.131.217 with HTTP; Sat, 6 Dec 2014 04:43:14 -0800 (PST)
In-Reply-To: <mailman.2318.1417570634.2908.oauth@ietf.org>
References: <mailman.2318.1417570634.2908.oauth@ietf.org>
Date: Sat, 06 Dec 2014 14:43:14 +0200
Message-ID: <CAB64j4XFho43N94=FgV36VkELXYPBk=E1XMvPExS7389wZ3M0w@mail.gmail.com>
From: Brian Thaga <thagabrian@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="047d7b3a94d66bc09505098b892c"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/v93nm4rZGz6HecvZWIdDkWfA_mw
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 74, Issue 31
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 12:43:19 -0000
On Wed, Dec 3, 2014 at 3:37 AM, <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: Review of draft-ietf-oauth-introspection-01 (Justin Richer) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 02 Dec 2014 20:36:59 -0500 > From: Justin Richer <jricher@mit.edu> > To: Phil Hunt <phil.hunt@oracle.com> > Cc: "oauth@ietf.org" <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01 > Message-ID: <vsk5f8yo3l57x91s65bsay6a.1417570619461@email.android.com> > Content-Type: text/plain; charset="utf-8" > > Ah, I think I got my threads crossed. Then yes, I agree with you, and I'm > going to be making authorization a MUST instead of a SHOULD. Would love to > hear feedback from other implementers on this point.? > > > -- Justin > > / Sent from my phone / > > > -------- Original message -------- > From: Phil Hunt <phil.hunt@oracle.com> > Date:12/02/2014 8:25 PM (GMT-05:00) > To: Justin Richer <jricher@mit.edu> > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01 > > I was asking in the context of the thread where the comment was made that > you only need to authenticate if more information is provided. > > This didn?t make sense to me. Because you would never make the call to > re-confirm (pointless). Even a caller re-confirming is actually checking > for more information - to see if the assertion has been revoked. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > On Dec 2, 2014, at 5:04 PM, Justin Richer <jricher@mit.edu> wrote: > > Nothing says you need to pack the same information inside the JWT that you > return from introspection. In our specific case, we don't put scopes or > client IDs inside the JWT, just basic signature/identifier type stuff, so > you need to call introspection to get back this other information. But the > information inside the JWT includes an "iss" claim which the client can use > to figure out *which* introspection endpoint to call. > > This is just one of many different ways you could handle multiple AS at a > single resource, and so it's definitely orthogonal to the basic > introspection concept. > > -- Justin > > On 12/2/2014 6:38 PM, Phil Hunt wrote: > I am confused. Why would you call the introspection endpoint if you were > not expecting new information to be disclosed? > > Phil > > On Dec 2, 2014, at 14:26, Richer, Justin P. <jricher@mitre.org> wrote: > > I agree that there's some use in this (and in fact I've deployed a version > that uses a signed JWT to indicate its authorization server), but it should > remain outside the scope of this spec. It's a service discovery problem, > it's orthogonal. > > -- Justin > > > On Dec 2, 2014, at 5:13 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > Yes, but unless there is something new the introspection endpoint in UMA > is tied to the resource. > > In some cases having the token indicate the introspection endpoint may be > useful. > > John B. > > Sent from my iPhone > > On Dec 2, 2014, at 10:02 PM, Eve Maler <eve@xmlgrrl.com> wrote: > > FWIW, UMA goes ahead and standardizes a good deal about the trust > establishment between the RS and the AS, and (of course) profiles and wraps > the token introspection spec as part of the resulting ?authorization API? > that the AS presents to the RS. A big part of the motivation for this is to > support an n:n relationship between AS and RS entities. > > EVe > > On 2 Dec 2014, at 12:14 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > Many of the proprietary introspection protocols in use return scope, role > or other meta data for the RS to make its access policy decision on. > One of the reasons for using opaque tokens rather than JWT is to prevent > leakage of that info. > > Making authentication to the introspection endpoint a MUST if additional > attributes are present is OK, I might even be inclined to say that > authentication of some sort is always required, but that might be going a > bit far for some use cases. > > We have a lot of proprietary ways to do this from IBM, Layer 7, Ping etc. > It would be nice if we could standardize it. Precluding other attributes > would not be helpful for adoption. > > > One issue that we haven?t addressed in this spec is what happens if there > are multiple AS for the RS and how it would decide what introspection > endpoint to use. > Perhaps that needs to be a extension, leaving this for the simple case. > > However having more than on e AS per RS is not as unusual as it once was > in larger environments. > > John B. > > > On Dec 2, 2014, at 4:56 PM, Richer, Justin P. <jricher@mitre.org> wrote: > > Agreed, which is why we've got space for the "sub" and "user_id" fields > but not anything else about the user, and we've got a privacy > considerations section for dealing with that. If you can help make the > wording on that section stronger, I'd appreciate it. > > -- Justin > > On Dec 2, 2014, at 2:25 PM, Bill Mills <wmills_92105@yahoo.com> wrote: > > If introspection returns any other user data beyond what is strictly > required to validate the token based solely on possession of the public > part it would be a mistake. > > > On Tuesday, December 2, 2014 11:13 AM, "Richer, Justin P." < > jricher@mitre.org> wrote: > > > That's all fine -- it's all going over TLS anyway (RS->AS) just like the > original token fetch by the client (C->AS). Doesn't mean you need TLS > *into* the RS (C->RS) with a good PoP token. > > Can you explain how this is related to "act on behalf of"? I don't see any > connection. > > -- Justin > > On Dec 2, 2014, at 2:09 PM, Bill Mills <wmills_92105@yahoo.com> wrote: > > Fetching the public key for a token might be fine, but what if the > introspection endpoint returns the symmetric key? Data about the user? > Where does this blur the line between this and "act on behalf of"? > > > On Tuesday, December 2, 2014 11:05 AM, "Richer, Justin P." < > jricher@mitre.org> wrote: > > > The call to introspection has a TLS requirement, but the call to the RS > wouldn't necessarily have that requirement. The signature and the token > identifier are two different things. The identifier doesn't do an attacker > any good on its own without the verifiable signature that's associated with > it and the request. What I'm saying is that you introspect the identifier > and get back something that lets you, the RS, check the signature. > > -- Justin > > On Dec 2, 2014, at 1:40 PM, Bill Mills <wmills_92105@yahoo.com> wrote: > > "However, I think it's very clear how PoP tokens would work. ..." > > I don't know if that's true. POP tokens (as yet to be fully defined) would > then also have a TLS or transport security requirement unless there is > token introspection client auth in play I think. Otherwise I can as an > attacker take that toklen and get info about it that might be useful, and I > don't think that's what we want. > > -bill > > > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > Eve Maler http://www.xmlgrrl.com/blog > +1 425 345 6756 http://www.twitter.com/xmlgrrl > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.ietf.org/mail-archive/web/oauth/attachments/20141202/97e34bdb/attachment.html > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 74, Issue 31 > ************************************* >
- Re: [OAUTH-WG] OAuth Digest, Vol 74, Issue 31 Brian Thaga