[OAUTH-WG] Token Transfer Protocol

Niklas Neumann <niklas.neumann@cs.uni-goettingen.de> Mon, 18 October 2010 16:01 UTC

Return-Path: <niklas.neumann@cs.uni-goettingen.de>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 33EE73A6DE3 for <oauth@core3.amsl.com>; Mon, 18 Oct 2010 09:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id yeb9+ylO6TWo for <oauth@core3.amsl.com>; Mon, 18 Oct 2010 09:01:46 -0700 (PDT)
Received: from mailer.gwdg.de (mailer.gwdg.de []) by core3.amsl.com (Postfix) with ESMTP id 85EA83A6E12 for <oauth@ietf.org>; Mon, 18 Oct 2010 09:01:40 -0700 (PDT)
Received: from s5.ifi.informatik.uni-goettingen.de ([] helo=[]) by mailer.gwdg.de with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <niklas.neumann@cs.uni-goettingen.de>) id 1P7sB2-0004z5-QX for oauth@ietf.org; Mon, 18 Oct 2010 18:03:08 +0200
Message-ID: <4CBC6FC0.5040708@cs.uni-goettingen.de>
Date: Mon, 18 Oct 2010 18:03:12 +0200
From: Niklas Neumann <niklas.neumann@cs.uni-goettingen.de>
Organization: University of Goettingen
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: oauth@ietf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: (clean) by exiscan+sophie
Subject: [OAUTH-WG] Token Transfer Protocol
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2010 16:01:46 -0000

Hello everybody,

I am currently working on a projected related to authentication and 
secure token transfer between multiple devices. As such we are employing 
a simple protocol that handles token transfers independent of the actual 
type of token. We have adapted the protocol to be used with OAuth tokens 
and submitted it as an Internet Draft: 

I was wondering if there is interest in employing such a protocol in 
cases where the HTTP redirection schemes of OAuth are not available or 
not working well (e.g. desktop applications without access to a user 
agent or authentication from a different device/application than the one 
accessing the consumer).

Compared to other proposals such as 
draft-dehora-farrell-oauth-accesstoken-creds the STTP is more 
heavyweight but in turn it also has more options. With regards to 
authentication we didn't use SASL for complexity reasons in our work 
initialy but I don't see any reason not to include it if this is deemed 
more appropriate.

The work that the draft is based on is still ongoing. Please understand 
the draft as no more than a discussion proposal on how OAuth could be 
opened to non-web-based environments and scenarios that involve multiple 
devices without overloading the OAuth specification itself. I am happy 
to further improve the draft if you think this might be a viable option.

Best regards

Niklas Neumann - University of Goettingen, Institute of Computer Science
Tel: +49 551 39-172053