Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt
Eve Maler <eve@xmlgrrl.com> Tue, 04 December 2012 19:49 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1EA21F8CAB for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2012 11:49:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.292
X-Spam-Level:
X-Spam-Status: No, score=-1.292 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id difHwuaP6B+T for <oauth@ietfa.amsl.com>; Tue, 4 Dec 2012 11:49:31 -0800 (PST)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id BF2EF21F8CB6 for <oauth@ietf.org>; Tue, 4 Dec 2012 11:49:31 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by greendome.promanage-inc.com (Postfix) with ESMTP id D485234B7AA; Thu, 29 Nov 2012 14:59:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from greendome.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VLvwYWpoKnvT; Thu, 29 Nov 2012 14:59:42 -0800 (PST)
Received: from [192.168.168.111] (unknown [192.168.168.111]) by greendome.promanage-inc.com (Postfix) with ESMTPSA id 6920234B792; Thu, 29 Nov 2012 14:59:42 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_6E56121F-CF55-45DD-998C-4B7867AED974"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <B33BFB58CCC8BE4998958016839DE27E0684F375@IMCMBX01.MITRE.ORG>
Date: Thu, 29 Nov 2012 14:59:41 -0800
Message-Id: <947EEF6D-12E5-4D6E-A92E-16184AE7119B@xmlgrrl.com>
References: <20121127184401.20364.27482.idtracker@ietfa.amsl.com> <B33BFB58CCC8BE4998958016839DE27E0684F375@IMCMBX01.MITRE.ORG>
To: "Richer, Justin P." <jricher@mitre.org>
X-Mailer: Apple Mail (2.1499)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2012 19:49:33 -0000
Hi Justin-- Glad to see this moving forward. This draft seems pretty straightforward, and I imagine the UMA core spec could probably incorporate a reference out to this rather than continuing to use our custom-specified method for what we'd called "token status". I wanted to highlight a couple of things we've defined beyond what you have here, in case they're of interest to the wider community. This spec defines what I'd call "shallow AS/RS communication", in that it assumes a trust relationship and context that's set up between them completely out of band. UMA needed "deep AS/RS communication", which allows for them to live in separate domains, potentially run by disparate parties. (This is akin to the separation in OpenID Connect of IdPs and third-party claim providers, and I've heard of a number of use cases now for the same separation in plain OAuth.) Thus, we defined a means by which the AS and RS could be introduced -- it's actually just an embedded OAuth flow -- so that your mention of a "separate OAuth2 Access Token" option in Section 2.1 is dictated in UMA to be an OAuth token, with a particular scope covering the use of the token introspection endpoint. The API exposed by the AS (in UMA, an "authorization manager" or AM) that includes usage of the token introspection endpoint is called a "protection API", and it includes registration of information about protected resources so that the AS can manage the issuance of tokens that it will later be asked to introspect. Finally, UMA has a simple extension point, called "UMA token profile", defined in its (JSON-encoded) AM config data that allows the content associated with the token to be standardized. Actually it dictates more than the content; there are protocol aspects to it too, perhaps akin to OAuth's token profiles. If there's interest in sedimenting some of these pieces into the OAuth layer, we'd certainly be interested to carve out modules (where possible) and submit them for consideration. Note that all of these features are present in our http://tools.ietf.org/html/draft-hardjono-oauth-umacore-05 submission. Thanks, Eve On 27 Nov 2012, at 10:46 AM, "Richer, Justin P." <jricher@mitre.org> wrote: > I took some time this morning to put together a draft of Token Introspection. This is largely based on how we implemented it here a few years ago, and I'm hoping that this and the Ping draft can help move the conversation about introspection forward. > > -- Justin > > Begin forwarded message: > >> From: <internet-drafts@ietf.org> >> Subject: New Version Notification for draft-richer-oauth-introspection-00.txt >> Date: November 27, 2012 1:44:01 PM EST >> To: <jricher@mitre.org> >> >> >> A new version of I-D, draft-richer-oauth-introspection-00.txt >> has been successfully submitted by Justin Richer and posted to the >> IETF repository. >> >> Filename: draft-richer-oauth-introspection >> Revision: 00 >> Title: OAuth Token Introspection >> Creation date: 2012-11-27 >> WG ID: Individual Submission >> Number of pages: 6 >> URL: http://www.ietf.org/internet-drafts/draft-richer-oauth-introspection-00.txt >> Status: http://datatracker.ietf.org/doc/draft-richer-oauth-introspection >> Htmlized: http://tools.ietf.org/html/draft-richer-oauth-introspection-00 >> >> >> Abstract: >> This specification defines a method for a client or protected >> resource to query an OAuth authorization server to determine meta- >> information about an OAuth token. >> >> >> >> >> >> The IETF Secretariat >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl
- [OAUTH-WG] Fwd: New Version Notification for draf… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Anganes, Amanda L
- Re: [OAUTH-WG] Fwd: New Version Notification for … Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Eve Maler
- Re: [OAUTH-WG] New Version Notification for draft… Eve Maler
- Re: [OAUTH-WG] New Version Notification for draft… Eve Maler