Re: [OAUTH-WG] Grant Type to Login via another Provider's OAuth Token
Justin Richer <jricher@mit.edu> Sun, 12 April 2015 16:41 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3639B1B2A96 for <oauth@ietfa.amsl.com>; Sun, 12 Apr 2015 09:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.311
X-Spam-Level:
X-Spam-Status: No, score=-2.311 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gioJABb6x9zW for <oauth@ietfa.amsl.com>; Sun, 12 Apr 2015 09:41:16 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFC061B2A94 for <oauth@ietf.org>; Sun, 12 Apr 2015 09:41:15 -0700 (PDT)
X-AuditID: 12074423-f79536d000000e74-93-552aa02ac93e
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 46.7B.03700.A20AA255; Sun, 12 Apr 2015 12:41:14 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t3CGfD11017766; Sun, 12 Apr 2015 12:41:13 -0400
Received: from [10.61.200.11] ([216.124.63.141]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t3CGfBMN015198 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 12 Apr 2015 12:41:12 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_CFACC244-5426-4DDD-898A-A52EA2CCE169"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CAJAGUngJ2_JWpWdrFovRYbt7E5645oUh3PbNG-_KeF79+XC1dg@mail.gmail.com>
Date: Sun, 12 Apr 2015 11:41:10 -0500
Message-Id: <3D1E24E1-867B-4135-B13B-066309117CCD@mit.edu>
References: <CAJAGUngJ2_JWpWdrFovRYbt7E5645oUh3PbNG-_KeF79+XC1dg@mail.gmail.com>
To: Spencer MacDonald <spencer.macdonald.other@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPKsWRmVeSWpSXmKPExsUixCmqrau1QCvU4FynoMXJt6/YLJofHmZ2 YPLYOesuu8eSJT+ZApiiuGxSUnMyy1KL9O0SuDIOTE8tOGNScbN5D1sD41fdLkZODgkBE4m/ G84yQthiEhfurWfrYuTiEBJYzCTRcXcPC0hCSGAjo0TrkiCIxFomiUWr37GBJIQF/CRmL78M VsQrYCAx99QXJpAiZoEpjBJT3y5kgRgrJdH0+hjYCjYBVYnpa1qYQGxOgUCJtds+sYPYLEDx w2sPA9kcQM3qEu0nXSBmWkm0f/zDDHFEgMSO1j6wVhEBS4nlB98ygpRLCMhL9GxKn8AoOAvJ FbOQXQGSYBZIkliypJUZwtaWWLbwNZStKbG/ezkLpriGROe3iawQtrzE9rdzoOKWEotn3oCq t5W41beACcK2k3g0bRHrAkbuVYyyKblVurmJmTnFqcm6xcmJeXmpRbpmermZJXqpKaWbGEHx x+6ivIPxz0GlQ4wCHIxKPLwXfmuGCrEmlhVX5h5ilORgUhLljS3VChXiS8pPqcxILM6ILyrN SS0+xKgCtOvRhtUXGKVY8vLzUpVEeGfMA6rjTUmsrEotyocpk+ZgURLn3fSDL0RIID2xJDU7 NbUgtQgmq8HBIdC3BmGIBG8dyBDBotT01Iq0zJwShFImDs5DjBIcPECLToItKi5IzC3OTIfI n2JUlBLnfQKSEABJZJTmwfXC0ukrRnGgF4V5H4BU8QBTMVz3K6DBTECDs1TABpckIqSkGhib F+66qcYyxc71EtPbJ9ufSyjWba1vd/j6wHa1/7HujZ+1SyV3bslYF892XGTRDq3nerI+DzZt kplxsXJ26fSNM+2S3Wt9PUOt5i4s/+W6qYBr/hSeuUWO0inzrsUZT1CMlTnYH9qxJqRLyG+V +Q6eAz+mqHb9i1rs66K779vx2PstuWovv35UYinOSDTUYi4qTgQAJP51ZoIDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/x-zAx8wXsdlEUjaZPYxIsg4oeGM>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Grant Type to Login via another Provider's OAuth Token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Apr 2015 16:41:18 -0000
You can’t rely on the presence of an access token to log a user in. Some more information is available here: http://oauth.net/articles/authentication/ <http://oauth.net/articles/authentication/> However, if you want to bridge authorization based on an external token and you’re willing to do some validation of that token, you can use something like the draft token chaining mechanism defined here: https://tools.ietf.org/html/draft-richer-oauth-chain-00 <https://tools.ietf.org/html/draft-richer-oauth-chain-00> For this, your AS will basically take in a Facebook token, validate it, and spit out a domain-local token. This doesn’t, however, tell you much about someone being “logged in” from Facebook, just means you’ve got an authorized application. Again, see the oauth.net <http://oauth.net/> article for more details on common pitfalls. A standards-based way to do login is to use the OpenID Connect ID Token. — Justin > On Apr 12, 2015, at 8:29 AM, Spencer MacDonald <spencer.macdonald.other@gmail.com> wrote: > > Hi, > > I wondered if there was a best practise/standard/extension grant type for exchanging an OAuth Token from another provider (instead of a username and password) for an OAuth Token. > > The situation I am facing is that I am developing a native iOS application that makes use of the Facebook Graph API, whereby I fetch an OAuth Token using their native SDK on the device. I then want to login exchange their Facebook OAuth Token with my server (the OAuth Token is then used on the server to process data) in exchange for an OAuth Token to communicate with my server. > > Is there a best practise for this approach? > > Regards > > Spencer > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Grant Type to Login via another Provid… Spencer MacDonald
- Re: [OAUTH-WG] Grant Type to Login via another Pr… Nat Sakimura
- Re: [OAUTH-WG] Grant Type to Login via another Pr… Justin Richer