Re: [OAUTH-WG] OAuth Token Swap (token chaining)
Phil Hunt <phil.hunt@oracle.com> Tue, 24 March 2015 13:43 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA1121A6FF1 for <oauth@ietfa.amsl.com>; Tue, 24 Mar 2015 06:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QpyMZO1H4b_J for <oauth@ietfa.amsl.com>; Tue, 24 Mar 2015 06:43:24 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BD651A702B for <oauth@ietf.org>; Tue, 24 Mar 2015 06:43:22 -0700 (PDT)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t2ODhKMt026426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 24 Mar 2015 13:43:21 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t2ODhK5r020001 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 24 Mar 2015 13:43:20 GMT
Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t2ODhK8i007900; Tue, 24 Mar 2015 13:43:20 GMT
Received: from [31.133.140.83] (/31.133.140.83) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 24 Mar 2015 06:43:20 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail-FD6B5FC6-3DC1-4551-968B-7D11DE5BA3B9"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (12B466)
In-Reply-To: <CA+k3eCTW_hgw_T4JNpJ8mgAo5oOW7BPMZ7DgJoB8Cvye6x7iwg@mail.gmail.com>
Date: Tue, 24 Mar 2015 08:43:17 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <080772BA-7A36-4E49-A4AD-50ABEEAF1427@oracle.com>
References: <0C7C1508-DA58-4832-B755-F8BA1F153894@mit.edu> <CA+k3eCTW_hgw_T4JNpJ8mgAo5oOW7BPMZ7DgJoB8Cvye6x7iwg@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/z4UHXJ0SBWdk8n6_kzAe8wVQhqU>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Token Swap (token chaining)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 13:43:26 -0000
As the original author, I don't know why this issue has not been followed through on. Still it has given me about 3 years to reflect. :-) I support any of these drafts going forward but I think we have to think through performance issues. I concluded that a swap should only be done, if at all, when an edge server wants to access a foreign domain as the inbound AT may be opaque. Otherwise passing the original AT in another header plus a service token for the edge server in the authentication header might be more scalable. The edge server token is long-lived and the same-domain internal server can parse or introspect both tokens to understand actas etc. in either method the authenticated context carries the primary security credential. For the internal case, the value of a token swipe is lost since consent is implicit and probably does not need to be double-checked each time. Phil > On Mar 24, 2015, at 07:55, Brian Campbell <bcampbell@pingidentity.com> wrote: > > And here's the somewhat different take on token exchange that I mentioned yesterday: > https://tools.ietf.org/html/draft-campbell-oauth-sts-01 > > A little more background, context, and discussion about it can be seen following the thread on the Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth WG Item: > https://www.ietf.org/mail-archive/web/oauth/current/msg13236.html > https://www.ietf.org/mail-archive/web/oauth/current/msg13305.html > ... etc ... > https://www.ietf.org/mail-archive/web/oauth/current/msg13311.html > ... etc. > > > > >> On Mon, Mar 23, 2015 at 2:40 PM, Justin Richer <jricher@mit.edu> wrote: >> As mentioned in today’s IETF meeting, here are the two drafts dealing with generic token swap: >> >> https://tools.ietf.org/html/draft-hunt-oauth-chain-01 >> https://tools.ietf.org/html/draft-richer-oauth-chain-00 >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Token Swap (token chaining) Justin Richer
- Re: [OAUTH-WG] OAuth Token Swap (token chaining) Brian Campbell
- Re: [OAUTH-WG] OAuth Token Swap (token chaining) Bill Burke
- Re: [OAUTH-WG] OAuth Token Swap (token chaining) Phil Hunt