IETF Logo Mail Archive

Re: [OAUTH-WG] December 27, 2012 OAuth Release

William Mills <wmills_92105@yahoo.com> Sat, 05 January 2013 05:55 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AA6121F8815 for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 21:55:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMvS0NW0AvPP for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 21:55:52 -0800 (PST)
Received: from nm16-vm3.bullet.mail.ne1.yahoo.com (nm16-vm3.bullet.mail.ne1.yahoo.com [98.138.91.146]) by ietfa.amsl.com (Postfix) with ESMTP id CD7C421F8809 for <oauth@ietf.org>; Fri, 4 Jan 2013 21:55:51 -0800 (PST)
Received: from [98.138.90.49] by nm16.bullet.mail.ne1.yahoo.com with NNFMP; 05 Jan 2013 05:55:48 -0000
Received: from [98.138.87.9] by tm2.bullet.mail.ne1.yahoo.com with NNFMP; 05 Jan 2013 05:55:48 -0000
Received: from [127.0.0.1] by omp1009.mail.ne1.yahoo.com with NNFMP; 05 Jan 2013 05:55:48 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 136027.52077.bm@omp1009.mail.ne1.yahoo.com
Received: (qmail 80416 invoked by uid 60001); 5 Jan 2013 05:55:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1357365347; bh=LTRgTT6eHI7LhLCCTl2e+aja5BfASBCkjuR3BXvDxe0=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=kosaIHfoWbpbtf3fQ4Jyq3JIvbbzun7EeQRGBnRdAvhxbQOtbdoLHwglW3IrqSfebcLHWlNC6K+2sPn2h2PffABDcVygRTcakTLr5SN8+9Dl73RG0JGzmPFP1nsT/0ZVsyZr/jSDhBjA414KF2YWxRuHgIs96pkIdlbjMSovhDk=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=j3oCTf7VlgGZJrLd6vRrFCtZTiQ6aeBYXm+ThEbHV3OvbR7nLwWK2Hju+OrE0VubhIFe1Pd3N9J4k+c+Ps2ZiTPZ23M8bByYTN6LnISBq3LgQII5sypsfv/s/9WsDZAHbNi/EfAS/jYVdRp4zxdSdga3yyV3+x/TugwPNJWF5AM=;
X-YMail-OSG: z5kb74YVM1kz2_BAwGGPiIWmCyaSq42izsIucioacsSYlDV Ar1XdPapOJx9PQ7dK6DTOJfTC9.cGAfhjPAPaWwC381NFuQsy3IdXUKhVDkn DaZ33X6JiwMN1esaqz1UuQ5qAKYHLINqKjKxe3cyhSwKuItsoH6OXDnAvLh1 _yV2qbckfjf2DSyqAIlIwR.KPOWNbj3x3jmL9zioFm06hN6fH.Y1jkDTXUcq l23t_CYBVDqFtPHEjaWXN9W6WBA4taU7uKTBhl7jd5l7HolltJChmaAdlzqV k_QTB5IMbp7qoLwSOeEQ1Z_dkP.J4zghmfdz1SVtSCXq4sDu8ywbs9gZWCWW Az0hZ35UMkpDc.OUpYPnZk1izIy4J6a27NWHvd.Y.FTkaaY7qZRRqZhfX_DJ aEvHwa9kgDh4gmn7JT8pOrX9jOZQ3RXKuN72MekjajiE41WvfB4qF_k_VC0d eednyVBAENbi0K_CfdHADrm9kZaYqPrT46xEstv7nu41Z_wuOPn85kuhC8QL Lb5CzqBBZdF8ocfODZ87wcVqotYmthlKJYqeo9_OoYaBtX2yzL4ZOzVShUmB 4VbPF30i9.iPS7UinRosW_1nGzrRZymhd1k8yTR7UYM4I6ptzRqjul_B7WU0 EpithNtZL5wJQHUVFcoE7MfxXjZefB2Qy3ttxXgKdNQB1zIat5eI-
Received: from [99.31.212.42] by web31816.mail.mud.yahoo.com via HTTP; Fri, 04 Jan 2013 21:55:47 PST
X-Rocket-MIMEInfo: 001.001, VGhhdCB3b3VsZCB3b3JrLiDCoFJlZ2lzdGVyIGEgbGluayByZWxhdGlvbiBwcm9wZXJ0eSBmb3Igc3VwcG9ydGVkIHNpZ25pbmcgbWV0aG9kcy4KCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwogRnJvbTogSm9obiBCcmFkbGV5IDx2ZTdqdGJAdmU3anRiLmNvbT4KVG86IFdpbGxpYW0gTWlsbHMgPHdtaWxsc185MjEwNUB5YWhvby5jb20.IApDYzogTWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPjsgIm9hdXRoQGlldGYub3JnIiA8b2F1dGhAaWV0Zi5vcmc.IApTZW50OiABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.130.494
References: <4E1F6AAD24975D4BA5B1680429673943669B0A1E@TK5EX14MBXC283.redmond.corp.microsoft.com> <1356746794.51868.YahooMailNeo@web31807.mail.mud.yahoo.com> <4E1F6AAD24975D4BA5B1680429673943669FE2AD@TK5EX14MBXC283.redmond.corp.microsoft.com> <1357339700.37914.YahooMailNeo@web31816.mail.mud.yahoo.com> <E7EF196D-1771-477E-932B-917A4A85D5A6@ve7jtb.com> <1357343831.30497.YahooMailNeo@web31810.mail.mud.yahoo.com> <A288DB63-2515-46B7-8B5A-715873B32506@ve7jtb.com>
Message-ID: <1357365347.39851.YahooMailNeo@web31816.mail.mud.yahoo.com>
Date: Fri, 04 Jan 2013 21:55:47 -0800
From: William Mills <wmills_92105@yahoo.com>
To: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <A288DB63-2515-46B7-8B5A-715873B32506@ve7jtb.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1238014912-1157172462-1357365347=:39851"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jan 2013 05:55:53 -0000

That would work.  Register a link relation property for supported signing methods.


________________________________
 From: John Bradley <ve7jtb@ve7jtb.com>
To: William Mills <wmills_92105@yahoo.com> 
Cc: Mike Jones <Michael.Jones@microsoft.com>; "oauth@ietf.org" <oauth@ietf.org> 
Sent: Friday, January 4, 2013 4:09 PM
Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
 

In the Connect case part of discovery is a JSON document in .well-known that describes the servers capabilities. 
Something similar might work.  There is nothing JWT specific about the connect document though we do specify the JWA set of algorithms and JWK for publishing keys.

John

On 2013-01-04, at 8:57 PM, William Mills <wmills_92105@yahoo.com> wrote:

Yeah, I think it would work. Adding client asserted JWT payload would also nicely get out of the whole question of where the nonce, timestamp, and such go and whether they can be part of the query string, which was always annoying with MAC and OAuth 1.
>
>
>We still have the problem that some clients don't know what order the query or post arguments will be generated in, but that wasn't resolved yet anyway.
>
>
>How do we solve for the server requiring a specific set of supported hashes and feeding that back to the client?
>
>
>-bill
>
>
>
>________________________________
> From: John Bradley <ve7jtb@ve7jtb.com>
>To: William Mills <wmills_92105@yahoo.com> 
>Cc: Mike Jones <Michael.Jones@microsoft.com>; "oauth@ietf.org" <oauth@ietf.org> 
>Sent: Friday, January 4, 2013 3:44 PM
>Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
> 
>
>If everything you want to sign can go in the JWT there is nothing to stop that.   Otherwise you are back to coming up with a way of doing a detached signature and putting a hash in the JWT like connect is doing by putting a hash of the token in the id_token for the "token id_token} flow.
>
>
>The hard part is figuring out what needs to be signed.   
>
>
>As for client generated JWT we already have the JWT assertion profile.  Connect is using that as an option to authenticate to the token endpoint. 
>
>
>Would doing a similar thing but to the RS really work for you?
>
>
>John B.
>
>On 2013-01-04, at 7:48 PM, William Mills <wmills_92105@yahoo.com> wrote:
>
>It's the core problem I see MAC solving.  I'd be happy enough to define a JWT variant that does this if that's easier than MAC.  What do you think?
>>
>>
>>
>>________________________________
>> From: Mike Jones <Michael.Jones@microsoft.com>
>>To: William Mills <wmills_92105@yahoo.com>; "oauth@ietf.org" <oauth@ietf.org> 
>>Sent: Friday, January 4, 2013 2:35 PM
>>Subject: RE: [OAUTH-WG] December 27, 2012 OAuth Release
>> 
>>
>> 
>>There’s no generic OAuth way to do this.  There is a way to do it in OpenID Connect – see request_object_signing_alg, userinfo_signed_response_alg, and id_token_signed_response_algin
http://openid.net/specs/openid-connect-registration-1_0-13.html#anchor3 and  userinfo_signing_alg_values_supported, id_token_signing_alg_values_supported, and request_object_signing_alg_values_supportedin
http://openid.net/specs/openid-connect-discovery-1_0-11.html#anchor9.
>> 
>>                                                            -- Mike
>> 
>>From:William Mills [mailto:wmills_92105@yahoo.com] 
>>Sent: Friday, December 28, 2012 6:07 PM
>>To: Mike Jones; oauth@ietf.org
>>Subject: Re: [OAUTH-WG] December 27, 2012 OAuth Release
>> 
>>Mike,
>> 
>>I've read through the JWT spec and I'm curious about something.  How do I specify a signature requirement as the server?  I didn't see it but I probably just missed it.  I'm thinking that with very little work a JWT can do everything that MAC does with greater flexibility, *BUT* the server needs to be able to require a signed usage.  Something I never liked about OAuth 1.0 is that the server must support all valid signature types, even PLAINTEXT, so I want to be able to avoid that.
>> 
>>It would require the client to be able to include client generated stuff in the JWT.
>> 
>>Thanks,
>> 
>>-bill
>>
>>_______________________________________________
>>OAuth mailing list
>>OAuth@ietf.org
>>https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>

v2.23.0 | Report a Bug | By Email