Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Phil Hunt <phil.hunt@oracle.com> Tue, 29 July 2014 00:59 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 780041A042D for <oauth@ietfa.amsl.com>; Mon, 28 Jul 2014 17:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkr01kqKMeON for <oauth@ietfa.amsl.com>; Mon, 28 Jul 2014 17:59:12 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3BA81A059F for <oauth@ietf.org>; Mon, 28 Jul 2014 17:59:09 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s6T0x8Lt027561 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 Jul 2014 00:59:09 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s6T0x7cA016245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 29 Jul 2014 00:59:08 GMT
Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s6T0x7F6005007; Tue, 29 Jul 2014 00:59:07 GMT
Received: from [192.168.1.188] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 28 Jul 2014 17:59:06 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_FDDF2153-ADCF-4A0F-9BB1-04461E32FC91"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <53D6ED5A.10500@mit.edu>
Date: Mon, 28 Jul 2014 17:59:05 -0700
Message-Id: <33F1EE39-2BDF-4F3D-B4DD-4AB9848BC4BF@oracle.com>
References: <53D6895F.4050104@gmx.net> <CAEayHEM+pqDqv1qx=Z-qhNuYM-s2cV0z=sQb_FAJaGwcLpq_rQ@mail.gmail.com> <20A36D56-D581-4EDE-9DEA-D3F9C48AD20B@oracle.com> <53D6ED5A.10500@mit.edu>
To: Justin Richer <jricher@MIT.EDU>
X-Mailer: Apple Mail (2.1878.6)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/yZ687ryDLq1QvQF_uNRMrfPC4d0
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 00:59:20 -0000

That doesn’t explain the need for inter-operability. What you’ve described is what will be common practice.

It’s a great open source technique, but that’s not a standard.

JWT is much different. JWT is a foundational specification that describes the construction and parsing of JSON based tokens. There is inter-op with token formats that build on top and there is inter-op between every communicating party.

In OAuth, a site may never implement token introspection nor may it do it the way you describe.  Why would that be a problem?  Why should the group spend time on something where there may be no inter-op need.

Now that said, if you are in the UMA community.  Inter-op is quite foundational.  It is very very important. But then maybe the spec should be defined within UMA?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com



On Jul 28, 2014, at 5:39 PM, Justin Richer <jricher@MIT.EDU> wrote:

> It's analogous to JWT in many ways: when you've got the AS and the RS separated somehow (different box, different domain, even different software vendor) and you need to communicate a set of information about the approval delegation from the AS (who has the context to know about it) through to the RS (who needs to know about it to make the authorization call). JWT gives us an interoperable way to do this by passing values inside the token itself, introspection gives a way to pass the values by reference via the token as an artifact. The two are complementary, and there are even cases where you'd want to deploy them together.
> 
>  -- Justin
> 
> On 7/28/2014 8:11 PM, Phil Hunt wrote:
>> Could we have some discussion on the interop cases?
>> 
>> Is it driven by scenarios where AS and resource are separate domains? Or may this be only of interest to specific protocols like UMA?
>> 
>> From a technique principle, the draft is important and sound. I am just not there yet on the reasons for an interoperable standard. 
>> 
>> Phil
>> 
>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
>> 
>>> Yes. This spec is of special interest to the platform we're building for http://www.oasis-eu.org/
>>> 
>>> 
>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> Hi all,
>>> 
>>> during the IETF #90 OAuth WG meeting, there was strong consensus in
>>> adopting the "OAuth Token Introspection"
>>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
>>> work item.
>>> 
>>> We would now like to verify the outcome of this call for adoption on the
>>> OAuth WG mailing list. Here is the link to the document:
>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>> 
>>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
>>> as to the suitability of adopting this document as a WG work item,
>>> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>>> 
>>> The confirmation call for adoption will last until August 10, 2014.  If
>>> you have issues/edits/comments on the document, please send these
>>> comments along to the list in your response to this Call for Adoption.
>>> 
>>> Ciao
>>> Hannes & Derek
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Thomas Broyer
>>> /tɔ.ma.bʁwa.je/
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth