IETF Logo Mail Archive

Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Fri, 13 April 2012 19:13 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF71821F8779 for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 12:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.466
X-Spam-Level:
X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7MBLdA5X4ml for <oauth@ietfa.amsl.com>; Fri, 13 Apr 2012 12:13:33 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe006.messaging.microsoft.com [213.199.154.209]) by ietfa.amsl.com (Postfix) with ESMTP id 0E7FA21F877B for <oauth@ietf.org>; Fri, 13 Apr 2012 12:13:32 -0700 (PDT)
Received: from mail72-am1-R.bigfish.com (10.3.201.238) by AM1EHSOBE004.bigfish.com (10.3.204.24) with Microsoft SMTP Server id 14.1.225.23; Fri, 13 Apr 2012 19:13:31 +0000
Received: from mail72-am1 (localhost [127.0.0.1]) by mail72-am1-R.bigfish.com (Postfix) with ESMTP id F1C14A0522 for <oauth@ietf.org>; Fri, 13 Apr 2012 19:13:31 +0000 (UTC)
X-SpamScore: 0
X-BigFish: VPS0(zzc85fhzz1202hzz8275bh8275dhz2fh2a8h683h839hd25h)
X-Forefront-Antispam-Report: CIP:129.188.136.17; KIP:(null); UIP:(null); IPV:NLI; H:il06msg01.mot-solutions.com; RD:none; EFVD:NLI
Received-SPF: pass (mail72-am1: domain of motorolasolutions.com designates 129.188.136.17 as permitted sender) client-ip=129.188.136.17; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06msg01.mot-solutions.com ; olutions.com ;
Received: from mail72-am1 (localhost.localdomain [127.0.0.1]) by mail72-am1 (MessageSwitch) id 1334344409326498_12041; Fri, 13 Apr 2012 19:13:29 +0000 (UTC)
Received: from AM1EHSMHS006.bigfish.com (unknown [10.3.201.252]) by mail72-am1.bigfish.com (Postfix) with ESMTP id 4396140069 for <oauth@ietf.org>; Fri, 13 Apr 2012 19:13:29 +0000 (UTC)
Received: from il06msg01.mot-solutions.com (129.188.136.17) by AM1EHSMHS006.bigfish.com (10.3.207.106) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 13 Apr 2012 19:13:27 +0000
Received: from il06msg01.mot-solutions.com (il06vts02.mot.com [129.188.137.142]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q3DJtpeB029933 for <oauth@ietf.org>; Fri, 13 Apr 2012 14:55:51 -0500 (CDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe003.messaging.microsoft.com [216.32.180.13]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q3DJtoeP029921 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Fri, 13 Apr 2012 14:55:51 -0500 (CDT)
Received: from mail137-va3-R.bigfish.com (10.7.14.254) by VA3EHSOBE009.bigfish.com (10.7.40.29) with Microsoft SMTP Server id 14.1.225.23; Fri, 13 Apr 2012 19:13:24 +0000
Received: from mail137-va3 (localhost [127.0.0.1]) by mail137-va3-R.bigfish.com (Postfix) with ESMTP id CB320120126 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Fri, 13 Apr 2012 19:13:24 +0000 (UTC)
Received: from mail137-va3 (localhost.localdomain [127.0.0.1]) by mail137-va3 (MessageSwitch) id 133434440372408_14993; Fri, 13 Apr 2012 19:13:23 +0000 (UTC)
Received: from VA3EHSMHS026.bigfish.com (unknown [10.7.14.241]) by mail137-va3.bigfish.com (Postfix) with ESMTP id 07B5A60155; Fri, 13 Apr 2012 19:13:23 +0000 (UTC)
Received: from BL2PRD0410HT003.namprd04.prod.outlook.com (157.56.240.85) by VA3EHSMHS026.bigfish.com (10.7.99.36) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 13 Apr 2012 19:13:19 +0000
Received: from BL2PRD0410MB363.namprd04.prod.outlook.com ([169.254.3.6]) by BL2PRD0410HT003.namprd04.prod.outlook.com ([10.255.99.38]) with mapi id 14.16.0143.004; Fri, 13 Apr 2012 19:13:18 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Using OAuth to get a JWT/SAML token
Thread-Index: AQHNGZQHGnbSav9o6k2Y2ikZeKN005aZHXKw
Date: Fri, 13 Apr 2012 19:13:18 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A90741A7@BL2PRD0410MB363.namprd04.prod.outlook.com>
References: <59E470B10C4630419ED717AC79FCF9A906E74E@CH1PRD0410MB369.namprd04.prod.outlook.com> <4F885680.5090801@mitre.org>
In-Reply-To: <4F885680.5090801@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [150.130.152.46]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A90741A7BL2PRD0410MB363na_"
MIME-Version: 1.0
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: BL2PRD0410HT003.namprd04.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: -1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-rules-execution-history: Sample Spam Submissions
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False;00160000;True;;
X-OrganizationHeadersPreserved: BL2PRD0410HT003.namprd04.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%MITRE.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2012 19:13:35 -0000

Hi Justin ...

In your application, to start things off, you fire off a web browser to the authorization server's authorization endpoint. The user logs in to the authorization server through the web browser, approves this copy of your app, and gets redirected to "myapp://oauthcallback?code=basdf132". Your app grabs the "myapp://" url and plucks the authorization code off the end of it. Your app then takes that code and sends it in the background to the token endpoint to exchange for a token.

<acl> this is the part I'm missing.  I understand how to get the authorization code to the client ...  I think what you're saying is that when the client present the access code to the token endpoint, that the token endpoint can return either a SAML or JWT token?  Is the token endpoint typically part of the Authorization Server?  Is the type of token returned (SAML/JWT/etc) depending on the implementation and what is supported by different vendors and open source, or is this required by the standard?  OAuth 2.0 doesn't really say a whole lot about the actual access token.  Is this all considered out of band from OAuth and a matter of implementation?  Btw ... I currently have two OAuth implementations running in the lab ... an evaluation copy of PingFederate and an open source stack (OpenAM). </acl>

v2.23.0 | Report a Bug | By Email