IETF Logo Mail Archive

Re: [OAUTH-WG] Updated Charter to the IESG (this weekend)

John Bradley <ve7jtb@ve7jtb.com> Mon, 23 April 2012 14:19 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0952521F8661 for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 07:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.174
X-Spam-Level:
X-Spam-Status: No, score=-3.174 tagged_above=-999 required=5 tests=[AWL=-0.381, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L+q66GJkA1Vc for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2012 07:19:50 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF9221F864A for <oauth@ietf.org>; Mon, 23 Apr 2012 07:19:50 -0700 (PDT)
Received: by qaea16 with SMTP id a16so1508538qae.10 for <oauth@ietf.org>; Mon, 23 Apr 2012 07:19:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=ChCMdGzHKxNBSiVVcQem/PL0yeOf1KflLExr7zK3OdI=; b=gdBZg+N8mxnENY45s0r+j2MMIiAbSelRvGjZb8PGK+yCnR6ip4SvHb0H1FD0JCa7+e 7JVXGY+AVlZLnU/FYE4wZ6sgNfoh5ACkSMRPKt1n9OHzYCt2p73x27WYyAKghynAIgVG bD5mqYNgxjFsRrEffO/Z1bNq7Iqjwwmkn5FGsWH+gsmlD2684nTpBRMVxj38KzihRXcu 7bz85wKxG00eqYLjCRsVK4aWQ1gDD1xt/0bKkm38hfn3SSu3diXKquKRqi75TCrfPVKR g1cwEVhOHEccIxsbP2GXXKEalk8mVusgwtnG1h3ziCVq3ljIvnoEh239otrcKyD0qYd/ Fm4w==
Received: by 10.224.180.212 with SMTP id bv20mr3344124qab.4.1335190789673; Mon, 23 Apr 2012 07:19:49 -0700 (PDT)
Received: from [192.168.1.213] (190-20-21-61.baf.movistar.cl. [190.20.21.61]) by mx.google.com with ESMTPS id hv18sm1402914qab.19.2012.04.23.07.19.41 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 23 Apr 2012 07:19:47 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_A0957514-3148-484B-91E4-762190898BC7"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <EFFCC865-25C2-451A-AA20-74AD60850CE3@xmlgrrl.com>
Date: Mon, 23 Apr 2012 11:19:21 -0300
Message-Id: <18D09FE1-A118-48C3-AC45-4DF79C325C28@ve7jtb.com>
References: <693A5F68-9F51-452C-B684-2A891133F875@gmx.net> <4F885BF9.2080307@mitre.org> <4E1F6AAD24975D4BA5B1680429673943664668FF@TK5EX14MBXC283.redmond.corp.microsoft.com> <4F88713C.6070309@mitre.org> <sjm62cz33zo.fsf@mocana.ihtfp.org> <4F8C6D43.2030701@mitre.org> <4F8F1B9F.1040302@lodderstedt.net> <4F8F1D94.4090208@mitre.org> <4F8F1F9C.7020008@lodderstedt.net> <4F8F22C4.6000900@mitre.org> <4F9059F5.1050705@lodderstedt.net> <EFFCC865-25C2-451A-AA20-74AD60850CE3@xmlgrrl.com>
To: Eve Maler <eve@xmlgrrl.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQksMzNfBiye4TgY7P5Y9KS+RS7S4QquDUdT9KPg3Hk7Mv0erW89yGJOi+67oTcn15+klr7o
Cc: Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Updated Charter to the IESG (this weekend)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 14:19:52 -0000

Eve,

A number of us want to hold a session on the Tuesday of IIW to discuss the various options, that people have built.

UMA is one of the more advanced ones, but we also have Ping, MITRE,  AOL, and others.

There is a fair amount of overlap between them.

If the AS RS work is not included in the charter it will probably continue independently until the next rechartering.

John B.


On 2012-04-22, at 5:43 PM, Eve Maler wrote:

> Once again, you may want to look at the UMA core I-D to see how it defines an AS/RS interface:
> 
> http://tools.ietf.org/html/draft-hardjono-oauth-umacore-04
> (see particularly Section 3.3)
> 
> It uses what is by now a very common token introspection pattern to have the RS get the AS's crucial help in validating the token that was presented to it. UMA has a mandatory-to-implement token profile called "bearer", which treats the token introspection endpoint as a run-time way to get the content associated with the token blob. Obviously, what's returned from that call is currently UMA-specific (and in fact this class of profiles is called "UMA token profiles"). Note that the call to the token introspection endpoint must be accompanied by an OAuth token in the header because the endpoint is OAuth-protected. (Yes, it's turtles all the way down...) We haven't yet defined an "UMA JWT token profile", but that's the next logical step.
> 
> This type of introspection functionality could be called a narrow definition of the AS/RS interface requirement. To make it possible to have the AS and RS live in completely separate domains potentially controlled by different parties (a broad definition), a number of other elements would ultimately be required. This is where UMA's entire "protection API" may be interesting to look at, since it has been demonstrated to apply to typical OAuth use cases (single resource owner) as well as access management use cases (resource owner and requesting party are different).
> 
> 	Eve
> 
> On 19 Apr 2012, at 11:31 AM, Torsten Lodderstedt wrote:
> 
>> Hi Justin,
>> 
>> In my opinion, the OpenID Connect introspection/checkid endpoint is a convenience function for clients (not resource servers) unable to decrypt id tokens and validate their signatures. I'm not convinced this function is needed, that's why I proposed to drop it.
>> 
>> The AS-PR endpoint servers a different purpose, as it allows to implement handle-based token designs. The AS just creates simple token (e.g. a random number), which is very small and does not need to be encrypted or signed. This might result in simple designs. On the other hand, the PR needs to lookup authz data as part of the request implementation, which might have a negative impact on performance and scalability. That's where self-contained tokens, such as JWT have their merits.
>> 
>> I don't think one would combine self-contained tokens with an AS-PR endpoint. Or is this the case in any existing implementations?
>> 
>> The point I wanted to make is: no matter how the resource server acquires authz data (as token content/JWT or via request to another AS-PR endpoint), the authz data will be the same. And as part of the JWT standardization, we will identify this data and specify a JSON format to represent it. The same representation could be used at the AS-PR endpoint as well.
>> 
>> regards,
>> Torsten.
>> 
>> Am 18.04.2012 22:23, schrieb Justin Richer:
>>> I think we might be crossing wires about input to the token introspection endpoint vs. output from it.
>>> 
>>> In OpenID Connect, you send a JWT in, and get back a JSON object that represents the Claims bit of the JWT.
>>> 
>>> In our implementation (and I think both Ping and AOL's), you send in an arbitrary token (with no proscribed format) and get back a JSON object with different pieces in it. Ours included a list of scopes and an expiration timestamp, others did different things, like audience and issuer, as part of the return.
>>> 
>>> The point I was trying to make is that the information returned from the AS-PR interface isn't necessarily embedded inside of the token used to call that interface. In OpenID Connect, it is, and the CheckID endpoint just unwraps the JWT for you. In the larger case, what's really going on is that the PR presents a token that it's not sure what it's good for and gets back something that answers that question. Since a JWT Claims section can be an arbitrary JSON object (for all intents and purposes), you could use a JWT as the output of the introspection endpoint as well.
>>> 
>>> -- Justin
>>> 
>>> On 04/18/2012 04:10 PM, Torsten Lodderstedt wrote:
>>>> Hi Justin,
>>>> 
>>>> I refered to the data format used at the AS-PR interface. According to your description, you use JSON objects there. What data does such an object contain? Is this any different from a JSON Web Token (leaving aside digital signatures and encryption)?
>>>> 
>>>> regards,
>>>> Torsten.
>>>> 
>>>> Am 18.04.2012 22:01, schrieb Justin Richer:
>>>>> Not all implementations in the field that do this are using JWTs as the tokens. Ours in particular used a random blob with no structured information in it. The endpoint returned a JSON object.
>>>>> 
>>>>> -- Justin
>>>>> 
>>>>> On 04/18/2012 03:53 PM, Torsten Lodderstedt wrote:
>>>>>> Hi all,
>>>>>> 
>>>>>> is there enough experience in the field with such an interface to standardize it?
>>>>>> 
>>>>>> I would expect such an endpoint to return the same payload, which is carried in a JSON Web Token. So once we designed the JSON Web Tokens content, designing the AS-PR interface could be the next logical step (after the next re-charting).
>>>>>> 
>>>>>> regards,
>>>>>> Torsten.
>>>>>> 
>>>>>> Am 16.04.2012 21:04, schrieb Justin Richer:
>>>>>>> 
>>>>>>>>> OK, but with SWD and discovery off the table, can this now be
>>>>>>>>> considered to be within that manageable number instead?
>>>>>>>> We wanted to keep the # of WG items to approximately 5.  Once we finish
>>>>>>>> some of these items and get them off our plate we could roll new items
>>>>>>>> onto the plate, theoretically.
>>>>>>>> 
>>>>>>> 
>>>>>>> That's definitely true going forward, but what I was saying is that the number of items under consideration is now down to 4, with SWD moving to the Apps group. I was proposing that the whole introspection endpoint and general AS-PR connection could be this group's fifth starting document.
>>>>>>> 
>>>>>>> -- Justin
> 
> 
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email