Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Nat Sakimura <sakimura@gmail.com> Tue, 30 July 2013 16:27 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2257921F9C83 for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 09:27:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouunjlufSUAo for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 09:27:37 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 588DA21E8083 for <oauth@ietf.org>; Tue, 30 Jul 2013 09:27:34 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id eo20so3570423lab.34 for <oauth@ietf.org>; Tue, 30 Jul 2013 09:27:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JTt7M+wkhCT1JMru/e9GG5ZkpZb7lv1zlJYPUdWfzQM=; b=UAycOi5VaYoKLyNQKl3iaBLST/CtEvPi+kAhCaJaO9dnplGIgefr/ZEzGY69CMR3yG kea8TOcmc9G/ig5gp7Sg0GvVIb1n/dLSvU+vxz+X0ZmCFmgRpsIxWwmdBfKTZgngxZsU 7uRUbgdz5jY2tD+IAHPI5y3TrK29ETsd0Ee4ExtZWCwxnTWRgIRjRO1Jtdjl+YNEG4UQ b4ndCkROhsdnj9mVQGJLcZYQpfHOLXmHG/LcBxirOipa5MN9o50D8H4ZsTMhhQ4UT4go v/QtVWnnvJVXj5qP7OZVoKaKM4VYzHnfGjLHglirjWkC6ubIR5sWNCcG8xjxNvnTuUpJ xp8g==
MIME-Version: 1.0
X-Received: by 10.152.10.71 with SMTP id g7mr6665667lab.60.1375201652951; Tue, 30 Jul 2013 09:27:32 -0700 (PDT)
Received: by 10.112.134.38 with HTTP; Tue, 30 Jul 2013 09:27:32 -0700 (PDT)
In-Reply-To: <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com>
Date: Wed, 31 Jul 2013 01:27:32 +0900
Message-ID: <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a1132f66204d14504e2bd16a2"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 16:27:39 -0000
I have written a short blog post titled "Write an OpenID Connect server in three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-server-in-three-simple-steps/> ". Really, there is not much you need to on top of OAuth 2.0. It puzzles me why you need to create a draft with only minor variances in parameter names. e.g., session instead of id_token lat instead of iat alv instead of acr etc. If you change those parameter names, you will have a conformant profile of OpenID Connect. Nat 2013/7/31 John Bradley <ve7jtb@ve7jtb.com> > Connect dosen't require a userinfo endpoint. It is required for > interoperability if you are building an open IdP. For an enterprise type > deployment discovery, registration, userifo are all optional. > > The server is required to pass the nonce which is equivalent to a request > ID through to the JWT if the client sends it in the request. > > Justin is correct. > > John B. > > On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > > Forgot reply all. > > Phil > > Begin forwarded message: > > *From:* Phil Hunt <phil.hunt@oracle.com> > *Date:* 30 July, 2013 17:25:46 GMT+02:00 > *To:* "Richer, Justin P." <jricher@mitre.org> > *Subject:* *Re: [OAUTH-WG] New Version Notification for > draft-hunt-oauth-v2-user-a4c-00.txt* > > The whole point is authn only. Many do not want or need the userinfo > endpoint. > > Phil > > On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote: > > What do you mean? You absolutely can implement a compliant OIDC server > nearly as simply as this. The things that you're missing I think are > necessary for basic interoperable functionality, and are things that other > folks using OAuth for authentication have also implemented. Namely: > > - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which > is easy to do with JWT). Without a signed and verifiable ID token or > equivalent, you're asking for all kinds of token injection problems. > - Session management requests (max auth age, auth time) > - Not fall over with other parameters that you don't support (display, > prompt, etc). > > See here for more information: > > http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI > > Additionally, something that's really important to support is the User > Info Endpoint, so you can actually get user profile information beyond just > the simple "someone was here" claim -- this was the real value of Facebook > Connect from an RP's perspective. Some people will probably want to use > SCIM for this, too, and that's fine. > > -- Justin > > On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com> > wrote: > > The oidc specs do not allow this simple an implementation. The spec > members have not shown interest in making changes as they say they are too > far down the road. > > I have tried to make my draft as close as possible to oidc but maybe it > shouldn't be clarity wise. I am interested in what the group feels is > clearest. > > From an ietf perspective the concern is improper use of the 6749 for > authn. Is this a bug or gap we need to address? > > Phil > > On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote: > > From what I read, you've defined something that uses an OAuth 2 code > flow to get an extra token which is specified as a JWT. You named it > "session_token" instead of "id_token", and you've left off the User > Information Endpoint -- but other than that, this is exactly the Basic > Client for OpenID Connect. In other words, if you change the names on > things you've got OIDC, but without the capabilities to go beyond a very > basic "hey there's a user here" claim. This is the same place that OpenID > 2.0 started, and it was very, very quickly extended with SREG, AX, PAPE, > and others for it to be useful in the real world of distributed logins. > You've also left out discovery and registration which are required for > distributed deployments, but I'm guessing that those would be modular > components that could be added in (like they are in OIDC). > > I've heard complaints that OIDC is complicated, but it's really not. > Yes, I agree that the giant stack of documents is intimidating and in my > opinion it's a bit of a mess with Messages and Standard split up (but I > lost that argument years ago). However, at the core, you've got an OAuth2 > authorization server that spits out access tokens and id tokens. The id > token is a JWT with some known claims (iss, sub, etc) and is issued along > side the access token, and its audience is the *client* and not the > *protected resource*. The access token is a regular old access token and > its format is undefined (so you can use it with an existing OAuth2 server > setup, like we have), and it can be used at the User Info Endpoint to get > profile information about the user who authenticated. It could also be used > for other services if your AS/IdP protects multiple things. > > So I guess what I'm missing is what's the value proposition in this spec > when we have something that can do this already? And this doesn't seem to > do anything different (apart from syntax changes)? > > -- Justin > > On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > > FYI. I have been noticing a substantial number of sites acting as OAuth > Clients using OAuth to authenticate users. > > I know several of us have blogged on the issue over the past year so I > won't re-hash it here. In short, many of us recommended OIDC as the > correct methodology. > > Never-the-less, I've spoken with a number of service providers who > indicate they are not ready to make the jump to OIDC, yet they agree there > is a desire to support authentication only (where as OIDC does IDP-like > services). > > This draft is intended as a minimum authentication only specification. > I've tried to make it as compatible as possible with OIDC. > > For now, I've just posted to keep track of the issue so we can address > at the next re-chartering. > > Happy to answer questions and discuss. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > Begin forwarded message: > > *From: *internet-drafts@ietf.org > *Subject: **New Version Notification for > draft-hunt-oauth-v2-user-a4c-00.txt* > *Date: *29 July, 2013 9:49:41 AM GMT+02:00 > *To: *Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>, > Phil Hunt <> > > > A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt > has been successfully submitted by Phil Hunt and posted to the > IETF repository. > > Filename: draft-hunt-oauth-v2-user-a4c > Revision: 00 > Title: OAuth 2.0 User Authentication For Client > Creation date: 2013-07-29 > Group: Individual Submission > Number of pages: 9 > URL: > http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt > Status: > http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c > Htmlized: > http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00 > > > Abstract: > This specification defines a new OAuth2 endpoint that enables user > authentication session information to be shared with client > applications. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] Fwd: New Version Notification for draf… Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Anthony Nadalin
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- [OAUTH-WG] Fwd: New Version Notification for draf… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Paul Madsen
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Todd W Lainhart
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] Fwd: New Version Notification for … Prateek Mishra
- Re: [OAUTH-WG] Fwd: New Version Notification for … Nat Sakimura
- [OAUTH-WG] Need for Extending OAuth with AuthN (w… Prateek Mishra
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Bill Mills
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Richer, Justin P.
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Prateek Mishra
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… William Mills
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Anthony Nadalin
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Richer, Justin P.
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Anthony Nadalin
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Richer, Justin P.
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Anthony Nadalin
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Torsten Lodderstedt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Phil Hunt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Mike Jones
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Phil Hunt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Bill Mills
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Phil Hunt
- Re: [OAUTH-WG] Need for Extending OAuth with Auth… Nat Sakimura