Re: [OAUTH-WG] Oauth Server to Server
Chuck Mortimore <cmortimore@salesforce.com> Tue, 24 September 2013 16:56 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ADA521F9C4C for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 09:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.521
X-Spam-Level:
X-Spam-Status: No, score=-0.521 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-U7yG2NaFVR for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2013 09:56:19 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1B83321F95D0 for <oauth@ietf.org>; Tue, 24 Sep 2013 09:56:18 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id b13so4794261wgh.11 for <oauth@ietf.org>; Tue, 24 Sep 2013 09:56:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=78mZF8AYdkFvWZAYygoIEyhusrCW4ojQyDRa0jqLxtE=; b=DcFEyMHada7cuNAB6m5QLaVIRmE6gk5DLOf2dztNDLcIanE4itHxqNaYrNtVXL0K72 gjXUimf24Gab5/zMs3ki4iS3dWcdLGruka6AZ88thmUmJV/bHsPxiJdp5tTSfqpQbeyQ LHIvVdQHMMGAt+GOm1dM1uGGsLsSkwMg5pdO14GHhx9O560UgoqLDTcTHGU6YI+QuFxi fPIGf5pGbW3W666D5btk6nlTmxYTMcT7Y4rKNhkp1jc785DL8wxOysH0h+nrnp3FWVdU i+bxW8nE4lhxbsCkuGHgQVFwpjJ6tohA19bXIvt5H6ORIdtgQCholjA0fdgGrv4g1vWa CGyQ==
X-Gm-Message-State: ALoCoQkZVGOqa/z5AszdkhkjXof5JL9xBcCIpnVdsrRHWxVqxx2/yNm8D85IxitdTu+XYsd2NCgK
MIME-Version: 1.0
X-Received: by 10.194.240.101 with SMTP id vz5mr1247187wjc.69.1380041777624; Tue, 24 Sep 2013 09:56:17 -0700 (PDT)
Received: by 10.217.85.200 with HTTP; Tue, 24 Sep 2013 09:56:17 -0700 (PDT)
In-Reply-To: <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com>
References: <832FA2A6-D0DD-45D0-9107-7EE02B6793B7@adobe.com> <CA+k3eCSVwT15wBwuCZNy1EuiVOSwVg+TThVvWnbwZ1wHVvfA-A@mail.gmail.com> <7558541E-3517-4F71-A049-6143D4247738@adobe.com> <1510634430014420341@unknownmsgid> <4AEF7FF7-06A2-4A2E-92D4-B18DDBC07B21@adobe.com>
Date: Tue, 24 Sep 2013 09:56:17 -0700
Message-ID: <CA+wnMn8gV-eZtQNvQ4-EPXS8-M2Jn1mpkLgUJ4NHB4BHYEyLZw@mail.gmail.com>
From: Chuck Mortimore <cmortimore@salesforce.com>
To: Antonio Sanso <asanso@adobe.com>
Content-Type: multipart/alternative; boundary="001a11c28a40ee4b2804e72403fb"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Oauth Server to Server
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 16:56:23 -0000
What you're describing is exactly what the JWT bearer flow specs out http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer We've got the exact same flow, and there are other implementations out there. http://login.salesforce.com/help/doc/en/remoteaccess_oauth_jwt_flow.htm On Tue, Sep 24, 2013 at 8:17 AM, Antonio Sanso <asanso@adobe.com> wrote: > Hi chuck, > > > On Sep 24, 2013, at 4:57 PM, Chuck Mortimore <cmortimore@salesforce.com> > wrote: > > I'm not sure I understand your point here. I don't believe there is > anything custom or special about the google implementation here vs JWT. > It looks identical to our implementation. > > Can you elaborate? > > > sure. > > What is novel IMHO in the Google approach is not the bearer format , that > is still JWT (or JWS in this case) but the overall scenario. > > As I see OAuth 2 is really good to cover use cases where there is human > interaction (so an user namely the resource owner can provider username and > password to the AS but not to the client and get back the Bearer Token). > This is obviously covered from [2] and [3] namely Authorization Code Grant > and Implicit grant flow. > > When there is not human interaction involved what RFC6749 offers is the > already cited Resource Owner Password Credentials Grant that IMHO is a no > go since it required the resource owner to share his password with the > client. > > The way as Google offers to solve the same situation (namely obtain , or > create in this case, a bearer token without having the resource owner > password) is using asymmetric cryptography. What is happening is that > quoting > > "During the creation of a Service Account, you will be prompted to > download a private key. Be sure to save this private key in a secure > location. After the Service Account has been created, you will also have > access to the client_id associated with the private key." > > An alternative mentioned from John Bradley previously is that clients can > securely generate key pairs but in terms of security would be identical. > > I hope is a bit clearer now :) > > regards > > antonio > > > [2] http://tools.ietf.org/html/rfc6749#section-4.1 > [3] http://tools.ietf.org/html/rfc6749#section-4.2 > > > - cmort > > On Sep 24, 2013, at 5:57 AM, Antonio Sanso <asanso@adobe.com> wrote: > > Hi Brian, > > thanks a lot for your pointer. > > What the custom Google flow provides more than the oauth jwt bearer draft > is IMHO an explicit way to build JWT without any 'human interaction' so a > server can handle the construction of an expired JWT bearer token on his > own. > > This can of course be figured out by any implementer (as the Google folks > obviously did) but it would be nice to provide this black on white on a > spec IMHO > > regards > > Antonio > > > On Sep 24, 2013, at 2:35 PM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > Might this http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer be what > you're looking for? > > > On Tue, Sep 24, 2013 at 6:08 AM, Antonio Sanso <asanso@adobe.com> wrote: > >> Hi *, >> >> apologis to be back to this argument :). >> >> Let me try to better explain one use case that IMHO would be really good >> to have in the OAuth specification family :) >> >> At the moment the only "OAuth standard" way I know to do OAuth server to >> server is to use [0] namely Resource Owner Password Credentials Grant. >> >> Let me tell I am not a big fun of this particular flow :) (but this is >> another story). >> >> An arguable better way to solve this scenario is to user (and why not to >> standardise :S?) the method used by Google (or a variant of it) see [1]. >> >> Couple of more things: >> >> - I do not know if Google would be interested to put some effort to >> standardise it (is anybody from Google lurking :) e.g.Tim Bray :D ) >> - I am not too familiar with IETF process. Would the OAuth WG take in >> consideration such proposal draft?? >> >> Thanks and regards >> >> Antonio >> >> [0] http://tools.ietf.org/html/rfc6749#section-4.3 >> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Brian Campbell
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Bill Mills
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Phil Hunt
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Chuck Mortimore
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Justin Richer
- Re: [OAUTH-WG] Oauth Server to Server Todd W Lainhart
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Sergey Beryozkin
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso
- Re: [OAUTH-WG] Oauth Server to Server Antonio Sanso