Re: [OAUTH-WG] OAuth for institutional users
Justin Richer <jricher@mit.edu> Thu, 02 February 2017 19:34 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BBA712997E for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2017 11:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.419
X-Spam-Level:
X-Spam-Status: No, score=-7.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmaMqeG3eewQ for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2017 11:34:07 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45CA512998A for <oauth@ietf.org>; Thu, 2 Feb 2017 11:34:07 -0800 (PST)
X-AuditID: 1209190d-7f3ff70000006dba-fc-589389adbc8c
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 41.61.28090.DA983985; Thu, 2 Feb 2017 14:34:06 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v12JY5Le021807 for <oauth@ietf.org>; Thu, 2 Feb 2017 14:34:05 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v12JY4lC008590 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Thu, 2 Feb 2017 14:34:05 -0500
To: oauth@ietf.org
References: <CAHtvOp6j+YFdQFK+uK=3MN2vq+4UixUF4shwSPevux9QsZ1yXg@mail.gmail.com> <318C729C-3374-47B9-BF7E-F5F2F81EAC33@oracle.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <39f411e1-da84-b25c-a894-9e0a629d6d95@mit.edu>
Date: Thu, 02 Feb 2017 14:33:56 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <318C729C-3374-47B9-BF7E-F5F2F81EAC33@oracle.com>
Content-Type: multipart/alternative; boundary="------------E5F871D08CFC19D36C3FE0E0"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRmVeSWpSXmKPExsUixG6noruuc3KEwcNLrBYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxt59rgUbYyumzPzN2MB4y7WLkZNDQsBE4sOfSWxdjFwcQgJt TBLrfixmgnCOMkpcfTmVEcJ5zyQx89FfFpAWYQFTiZUHzzOC2CICQhLPd/ZBdbQwSuzaupIZ JMEmoCoxfU0LE4jNK2Al8XZCPzuIzSKgIjFz2iqwQaICMRIv90DYvAKCEidnPgGyOTg4Bewk rn/3AAkzC4RJfF63jH0CI98sJFWzkKQgbFuJO3N3M0PY8hLb386BsnUlFm1bwQ4Tb946m3kB I9sqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXSO93MwSvdSU0k2MoGDllOTdwfjvrtchRgEORiUe 3hPekyOEWBPLiitzDzFKcjApifJO0QIK8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuGd2AyU401J rKxKLcqHSUlzsCiJ84prNEYICaQnlqRmp6YWpBbBZGU4OJQkeK90ADUKFqWmp1akZeaUIKSZ ODhBhvMADd8OUsNbXJCYW5yZDpE/xajLsW/7mZdMQix5+XmpUuK8z9uBigRAijJK8+DmgJJM wtvDpq8YxYHeEuZlBqYcIR5ggoKb9ApoCRPQkp+PJ4EsKUlESEk1MIq1fzpq/cHMtsfZ7sd5 i5y1SSI3Z6zq0mmQ22i8a9/+InP2RcZacz/7vjLmkmFjl7zOfdH3wzHWWxEHDgY9lKo9Lj6B ufidR7aH9165fzZ2C7O6wlde3Kbj2N9j4fPqS2h8V63FGR51/XkL5sRmfwjfUn38ffCrdS6O tm7cql41q1Y7+TFYKrEUZyQaajEXFScCACQw0f8NAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zXAkOMutv1-j6mg1kz2roA8D2Gk>
Subject: Re: [OAUTH-WG] OAuth for institutional users
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 19:34:10 -0000
+1 to Phil's reference to SCIM, and since it looks like you're looking to do end user authentication you should look at OpenID Connect: http://openid.net/connect/ There are a lot of ways to get an authentication protocol based on OAuth very, very wrong, and I've covered some of the big ones in an article I wrote (with the community's help) a few years ago: http://oauth.net/articles/authentication/ Furthermore, I've covered the topic in my upcoming book, OAuth 2 In Action, which you might find useful: https://www.manning.com/books/oauth-2-in-action All said, the space is not as easy as you may think it is at first and there are a lot of pitfalls. But the good news is that you're not the first to dive in here and there are a lot of really good solutions already available. -- Justin On 2/2/2017 10:52 AM, Phil Hunt (IDM) wrote: > You are headed down the road to a very big domain called identity > management and provisioning. > > You might want to look at SCIM (RFC7643, 7644) for a restful api pattern. > > SCIM is usually OAuth enabled but the scopes/rights have not yet been > standardized. There is however some obvious access control patterns > that apply from the old ldap directory world. > > Phil > > On Feb 1, 2017, at 6:36 PM, Yunqi Zhang <zhangyunqi.cs@gmail.com > <mailto:zhangyunqi.cs@gmail.com>> wrote: > >> Hi all, >> >> I'm working on a set of API endpoints to allow institutions to manage >> their users and records, and their users to read their own records. >> >> Specifically, each institution will get a {client_id} and a {secret} >> after registering with us, which allows them to create users under >> its institution using [POST https://hostname/users/] Then the >> institution can also insert records for each user using [POST >> https://hostname/users/:user_id/] Once a user has been created, >> he/she can read his/her own records using [GET >> https://hostname/users/:user_id/] >> >> In this process, there are two types of authentications I would like >> to achieve, which I'm thinking about using oauth. However, I am super >> new on oauth and have four questions. >> >> Institution authentication (e.g., company FOO will have READ and >> WRITE access to https://hostname/ to create users under its own >> institution, insert records for specific users): (1) Since this part >> of the system will be created and run by the institution, this should >> be a "client credential grant" using {client_id} and {secret} of the >> institution, correct? >> >> End-user authentication (e.g., user John Doe of company FOO will have >> READ access to https://hostname/users/:john_doe_user_id/ to read his >> own personal records): (2) Because this part of the system will >> probably run on the web/mobile app created by company FOO, this >> should be a "resource owner credential grant" using {username}, >> {password} of the specific user, correct? >> >> (3) Because I am allow two types of different authentications, which >> will use two types of different {access_token}s I assume, would that >> be something weird (or hard to build) under the oauth model? >> >> (4) What if the web/mobile app created by a subset of the companies >> already has its own authentication and does not want to create >> another password for each of its users, what should I do? For >> example, company FOO has its own authentication for its web/mobile >> app and does not want to bother creating another password for each of >> its user (i.e., requires only {username}), whereas company BAR would >> like to create another password for each user (i.e., requires >> {username} and {password}). What kind of authentication model should >> I use for a scenario like this? >> >> Thank you very much for your help! >> >> Yunqi >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth for institutional users Yunqi Zhang
- Re: [OAUTH-WG] OAuth for institutional users Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth for institutional users Justin Richer
- Re: [OAUTH-WG] OAuth for institutional users Denis
- Re: [OAUTH-WG] OAuth for institutional users Justin Richer
- Re: [OAUTH-WG] OAuth for institutional users Yunqi Zhang
- Re: [OAUTH-WG] OAuth for institutional users Yunqi Zhang
- [OAUTH-WG] Is OAuth 2.0 a delegation protocol or … Denis
- [OAUTH-WG] Is it possible to stop sharing bearer … Denis