IETF Logo Mail Archive

Re: [OAUTH-WG] Oauth Server to Server

Chuck Mortimore <cmortimore@salesforce.com> Tue, 24 September 2013 16:56 UTC

Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ADA521F9C4C for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 09:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.521
X-Spam-Level:
X-Spam-Status: No, score=-0.521 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-U7yG2NaFVR for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 09:56:19 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1B83321F95D0 for <oauth@ietf.org>; Tue, 24 Sep 2013 09:56:18 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id b13so4794261wgh.11 for <oauth@ietf.org>; Tue, 24 Sep 2013 09:56:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=78mZF8AYdkFvWZAYygoIEyhusrCW4ojQyDRa0jqLxtE=; b=DcFEyMHada7cuNAB6m5QLaVIRmE6gk5DLOf2dztNDLcIanE4itHxqNaYrNtVXL0K72 gjXUimf24Gab5/zMs3ki4iS3dWcdLGruka6AZ88thmUmJV/bHsPxiJdp5tTSfqpQbeyQ LHIvVdQHMMGAt+GOm1dM1uGGsLsSkwMg5pdO14GHhx9O560UgoqLDTcTHGU6YI+QuFxi fPIGf5pGbW3W666D5btk6nlTmxYTMcT7Y4rKNhkp1jc785DL8wxOysH0h+nrnp3FWVdU i+bxW8nE4lhxbsCkuGHgQVFwpjJ6tohA19bXIvt5H6ORIdtgQCholjA0fdgGrv4g1vWa CGyQ==
X-Gm-Message-State: ALoCoQkZVGOqa/z5AszdkhkjXof5JL9xBcCIpnVdsrRHWxVqxx2/yNm8D85IxitdTu+XYsd2NCgK
MIME-Version: 1.0
X-Received: by 10.194.240.101 with SMTP id vz5mr1247187wjc.69.1380041777624; Tue, 24 Sep 2013 09:56:17 -0700 (PDT)
Received: by 10.217.85.200 with HTTP; Tue, 24 Sep 2013 09:56:17 -0700 (PDT)
In-Reply-To: <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com>
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <CA+k3eCSVwT15wBwuCZNy1EuiVOSwVg+TThVvWnbwZ1wHVvfA-A@mail.gmail.com> <7558541E-3517-4F71-A049-6143D4247738@adobe.com> <1510634430014420341@unknownmsgid> <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com>
Date: Tue, 24 Sep 2013 09:56:17 -0700
Message-ID: <CA+wnMn8gV-eZtQNvQ4-EPXS8-M2Jn1mpkLgUJ4NHB4BHYEyLZw@mail.gmail.com>
From: Chuck Mortimore <cmortimore@salesforce.com>
To: Antonio Sanso <asanso@adobe.com>
Content-Type: multipart/alternative; boundary="001a11c28a40ee4b2804e72403fb"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 16:56:23 -0000

What you're describing is exactly what the JWT bearer flow specs out

http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer

We've got the exact same flow, and there are other implementations out
there.
http://login.salesforce.com/help/doc/en/remoteaccess_oauth_jwt_flow.htm


On Tue, Sep 24, 2013 at 8:17 AM, Antonio Sanso <asanso@adobe.com> wrote:

> Hi chuck,
>
>
> On Sep 24, 2013, at 4:57 PM, Chuck Mortimore <cmortimore@salesforce.com>
> wrote:
>
> I'm not sure I understand your point here.   I don't believe there is
> anything custom or special about the google implementation here vs JWT.
> It looks identical to our implementation.
>
> Can you elaborate?
>
>
> sure.
>
> What is novel IMHO in the Google approach is not the bearer format , that
> is still JWT (or JWS in this case) but the overall scenario.
>
> As I see OAuth 2 is really good to cover use cases where there is human
> interaction (so an user namely the resource owner can provider username and
> password to the AS but not to the client and get back the Bearer Token).
> This is obviously covered from [2] and [3] namely Authorization Code Grant
> and Implicit grant flow.
>
> When there is not human interaction involved what RFC6749 offers is the
> already cited Resource Owner Password Credentials Grant that IMHO is a no
> go since it required the resource owner to share his password with the
> client.
>
> The way as Google offers to solve the same situation (namely obtain , or
> create in this case, a bearer token without having the resource owner
> password) is using asymmetric cryptography. What is happening is that
> quoting
>
> "During the creation of a Service Account, you will be prompted to
> download a private key. Be sure to save this private key in a secure
> location. After the Service Account has been created, you will also have
> access to the client_id associated with the private key."
>
> An alternative mentioned from John Bradley previously is that clients can
> securely generate key pairs but in terms of security would be identical.
>
> I hope is a bit clearer now  :)
>
> regards
>
> antonio
>
>
> [2] http://tools.ietf.org/html/rfc6749#section-4.1
> [3] http://tools.ietf.org/html/rfc6749#section-4.2
>
>
> - cmort
>
> On Sep 24, 2013, at 5:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
>
> Hi Brian,
>
> thanks a lot for your pointer.
>
> What the custom Google flow provides more than the oauth jwt bearer draft
> is IMHO an explicit way to build JWT without any 'human interaction' so a
> server can handle the construction of an expired JWT bearer token on his
> own.
>
> This can of course be figured out by any implementer (as the Google folks
> obviously did) but it would be nice to provide this black on white on a
> spec IMHO
>
> regards
>
> Antonio
>
>
> On Sep 24, 2013, at 2:35 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Might this http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer be what
> you're looking for?
>
>
> On Tue, Sep 24, 2013 at 6:08 AM, Antonio Sanso <asanso@adobe.com> wrote:
>
>> Hi *,
>>
>> apologis to be back to this argument :).
>>
>> Let me try to better explain one use case that IMHO would be really good
>> to have in the OAuth specification family :)
>>
>> At the moment the only "OAuth standard" way I know to do OAuth server to
>> server is to use [0] namely Resource Owner Password Credentials Grant.
>>
>> Let me tell I am not a big fun of this particular flow :) (but this is
>> another story).
>>
>> An arguable better way to solve this scenario is to user (and why not to
>> standardise :S?) the method used by Google (or a variant of it) see [1].
>>
>> Couple of more things:
>>
>> - I do not know if Google would be interested to put some effort to
>> standardise it (is anybody from Google lurking :) e.g.Tim Bray :D )
>> - I am not too familiar with IETF process. Would the OAuth WG take in
>> consideration such proposal draft??
>>
>> Thanks and regards
>>
>> Antonio
>>
>> [0] http://tools.ietf.org/html/rfc6749#section-4.3
>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email