IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Thu, 06 June 2013 06:08 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83B3521F973A for <oauth@ietfa.amsl.com>; Wed, 5 Jun 2013 23:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.598
X-Spam-Level:
X-Spam-Status: No, score=-106.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id atwWWP6FN06X for <oauth@ietfa.amsl.com>; Wed, 5 Jun 2013 23:08:21 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id C621321F9711 for <oauth@ietf.org>; Wed, 5 Jun 2013 23:08:15 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r5668CD5013205 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 6 Jun 2013 08:08:13 +0200
Received: from USCHHTC001.nsn-intra.net ([10.159.161.14]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r56689LD025833 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Jun 2013 08:08:11 +0200
Received: from USCHMBX001.nsn-intra.net ([169.254.1.6]) by USCHHTC001.nsn-intra.net ([10.159.161.14]) with mapi id 14.03.0123.003; Thu, 6 Jun 2013 01:08:08 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: "ext Manger, James H" <James.H.Manger@team.telstra.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: draft-ietf-oauth-dyn-reg and bearer tokens
Thread-Index: AQHOYms9Z5uentUEQ0a1nMEI/x/WbpkoM2Jw
Date: Thu, 06 Jun 2013 06:08:08 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2A9F2574@USCHMBX001.nsn-intra.net>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <51A7ADAE.4070005@mitre.org> <62636DE9-80BD-4B83-817B-3E6622434FD0@oracle.com> <51A7C00B.6050409@mitre.org> <78BAEE23-FB66-4BA5-A1A5-5626D22AA014@oracle.com> <B33BFB58CCC8BE4998958016839DE27E08F97708@IMCMBX01.MITRE.ORG> <18C751E2-31B2-4C7F-BC9A-49F382F96673@oracle.com> <77A0DA5E-09CE-4A5E-9500-54A0842252FB@oracle.com> <F293690C-1E82-4350-80D4-2E2C0EF86E55@oracle.com> <51A8C0ED.6040607@mitre.org> <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com> <F319CA95-B5A8-4BD5-A8BA-F57BCBA6806B@oracle.com> <51A8E0BD.9090908@mitre.org> <521EB2A2-C786-43BE-9449-A12324347E6D@oracle.com> <002701ce5e33$620faaa0$262effe0$@reminetworks.com> <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com> <51A8FCA6.9050109@mitre.org> <004401ce5e3a$01854b70$048fe250$@reminetworks.com> <CA+ZpN24S9fEfFsgMtu8pN-ct-100+HVSHAfqO4Yy2SksrYt1eA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151B105DA5@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1151B105DA5@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.159.161.120]
Content-Type: multipart/alternative; boundary="_000_1373E8CE237FCC43BCA36C6558612D2A9F2574USCHMBX001nsnintr_"
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 12804
X-purgate-ID: 151667::1370498893-000017BA-A215230D/0-0/0-0
Subject: Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 06:08:26 -0000

James, this is a very good question particularly since we have a working group item in progress that provides security properties beyond bearer tokens.

Ciao
Hannes


From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of ext Manger, James H
Sent: Thursday, June 06, 2013 7:06 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens

BEARER tokens dominate OAuth 2 deployments today, but OAuth 2 is deliberately extensible to support other sorts of credentials (eg MAC authentication).

Why is draft-ietf-oauth-dyn-reg hardwired to only support BEARER tokens?

1.3. “Registration Tokens and Credentials” says:

  “The Initial Access Token … is an OAuth 2.0 Bearer Token”

  “The Registration Access Token … is an OAuth 2.0 Bearer Token”

Google’s TLS ChannelIDs [draft-balfanz-tls-channelid], for instance, would be a fantastic fit for linking the first registration request with any subsequent registration modifications. The Registration Access Token would be annoying legacy baggage in that situation.


It seems that the Registration Access Token is only ever used at a single URI: registration_client_uri. That sounds like the perfect situation to use a “capability URI”, effectively putting the token in the URI. Anyone considered doing that? It should significantly simplify the spec.

--
James Manger

v2.23.0 | Report a Bug | By Email