Re: [OAUTH-WG] JWT binding for OAuth 2.0
Prabath Siriwardena <prabath@wso2.com> Tue, 14 April 2015 21:48 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE1641A1EF6 for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2015 14:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.368
X-Spam-Level:
X-Spam-Status: No, score=-1.368 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvk4Hv8skytP for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2015 14:48:37 -0700 (PDT)
Received: from mail-vn0-x231.google.com (mail-vn0-x231.google.com [IPv6:2607:f8b0:400c:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E5841A1BC6 for <oauth@ietf.org>; Tue, 14 Apr 2015 14:48:37 -0700 (PDT)
Received: by vnbg129 with SMTP id g129so8736689vnb.4 for <oauth@ietf.org>; Tue, 14 Apr 2015 14:48:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Mld1fW51JZiBVCK7P3E4gXkBUixVcEsGqh7ip5+Sqek=; b=UCvFIFd4mzf80iCxUlazrDnUzesqHDgksS/L0tHH2ebeCeCaoRMo0E1lBeHXOtYSNl YLE0EzwMnzrqh7OuyBaiOPFHh869wbJPM2a4LSQquFRATbYmH79TrtLD5pOlFdcwsPGO 1Kceys+5IZu7bHL1l98R1cv1wmvafoyRD0Pzw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Mld1fW51JZiBVCK7P3E4gXkBUixVcEsGqh7ip5+Sqek=; b=HY/UFPACICgvTttsDVwbe/LzOlZ+tr5DWj3n6VrLq8iAy2lMokZNChe5MB+fGbYQYT Sx1WsGxdt55Jn10p7HtSoJvQmeKEVSGLms1HXPQN19nz+7Y9JZqIPCem4M6n4JjDt1pN eHDqV2RDaS+nQWG81mVtmEQWA43M0TFZMWuZSy3BHBHhaxXSWoDINcgkls5Ad3RminA8 Fiz1qT+6MbNQ8wFLLp2Ut9tRamztz6T3v8NF/75ZAnE25D2TVy+aAPhVgEm1mCYgr0di vYSs7xzVM8ZM90kRRKda7CsvO/XsCCID/44xNx6yy9Wt0m8MaV/uAgRpaagzomFgnz9e AFug==
X-Gm-Message-State: ALoCoQmnyQ/IvXAF+DnjglH1lFrW4KXBzZgN77qpaiLc/QJx9Iw9gLpD81883omWzJFgMmWh7rnC
MIME-Version: 1.0
X-Received: by 10.60.220.137 with SMTP id pw9mr18295674oec.47.1429048116399; Tue, 14 Apr 2015 14:48:36 -0700 (PDT)
Received: by 10.202.72.198 with HTTP; Tue, 14 Apr 2015 14:48:36 -0700 (PDT)
In-Reply-To: <A0FFB94C-1EDB-41B9-B1E2-6943B078145F@ve7jtb.com>
References: <CAJV9qO-PsiNOdfBAf9k0VJ7+eGkE_g_gbygdCbGMv2UT56Ld=g@mail.gmail.com> <A0FFB94C-1EDB-41B9-B1E2-6943B078145F@ve7jtb.com>
Date: Tue, 14 Apr 2015 14:48:36 -0700
Message-ID: <CAJV9qO8KJk07Hs7X0tE2UKxeQNA3XaQO2uOF5xfVz0eDd8RgrA@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a11347f905863ce0513b6313b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/wHTFxseykOsLW_POKYgAcN3p_Qk>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT binding for OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 21:48:39 -0000
Thanks John for the pointer - will have look.. I am looking this for a pub/sub scenario.. Having JWT binding would benefit that.. Also - why I want access token to be inside a JWT is - when we send a JSON payload in this case, we already have the JWT envelope and the access token needs to be carried inside.. Thanks & regards, -Prabath On Tue, Apr 14, 2015 at 2:41 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > There is a OAuth binding to SASL > https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19 > > Google supports it for IMAP/SMTP, I think the latest iOS and OSX mail > client updates use it rather than passwords for Google. > I also noticed Outlook on Android using it. > > The access token might be a signed or encrypted JWT itself. I don’t know > that wrapping it again necessarily helps. > > Yes we should have bindings to other non http protocols. > > Is there something specific that you are looking for that is not covered > by SASL? > > John B. > > > > On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena <prabath@wso2.com> wrote: > > At the moment we only HTTP binding to transport the access token (please > correct me if not).. > > This creates a dependency on the transport. > > How about creating a JWT binding for OAuth 2.0..? We can transport the > access token as an encrypted JWT header parameter..? > > > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 > > http://blog.facilelogin.com > http://blog.api-security.org > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
- [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 John Bradley
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Bill Mills
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Hannes Tschofenig
- Re: [OAUTH-WG] JWT binding for OAuth 2.0 Prabath Siriwardena