[woes] Native JWT support in Google App Engine
Eric Sachs <esachs@google.com> Wed, 06 April 2011 19:41 UTC
Return-Path: <esachs@google.com>
X-Original-To: woes@core3.amsl.com
Delivered-To: woes@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B0E13A6952 for <woes@core3.amsl.com>; Wed, 6 Apr 2011 12:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ly3Mqx84ZnIN for <woes@core3.amsl.com>; Wed, 6 Apr 2011 12:41:23 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 7C71D3A63CA for <woes@ietf.org>; Wed, 6 Apr 2011 12:41:23 -0700 (PDT)
Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65]) by smtp-out.google.com with ESMTP id p36Jh7SL011708 for <woes@ietf.org>; Wed, 6 Apr 2011 12:43:07 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1302118987; bh=uSgx474lvo8/yU4Tc7BxQMSl0l4=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=vHAejwcNOj+YEJXftSqA2JJ7qn/bK3Mw5sIOfmtzYms3t0bhpD+jQdY5zlG7Y8X/r Oy/zRKfzDVyEthiVVvIeQ==
Received: from qwh5 (qwh5.prod.google.com [10.241.194.197]) by wpaz1.hot.corp.google.com with ESMTP id p36Jh61L022610 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <woes@ietf.org>; Wed, 6 Apr 2011 12:43:06 -0700
Received: by qwh5 with SMTP id 5so1092517qwh.6 for <woes@ietf.org>; Wed, 06 Apr 2011 12:43:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=fhDVTZmNfZJjSbF7dA8W0UUCSvWJedsC8XOwTRxY/6M=; b=rxTwOx8F9yeTWqNSPhAvQ971SlKr/IZDMT2ZqJD88ZR/GkndiaypxWvQ2GzTUOWpf6 oNHLTZjqCHkTSkbWdrng==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:date:message-id:subject:from:to:content-type; b=hCP1Y6jZLiIxRH/9RE1iPhX4KyQNPco5omABIaoyenSLdgSzOef0NDqcYLV0uw84WI wdmENUk7hEurnVEVfCNA==
MIME-Version: 1.0
Received: by 10.229.99.10 with SMTP id s10mr9419qcn.123.1302118985798; Wed, 06 Apr 2011 12:43:05 -0700 (PDT)
Received: by 10.229.73.202 with HTTP; Wed, 6 Apr 2011 12:43:05 -0700 (PDT)
Date: Wed, 06 Apr 2011 12:43:05 -0700
Message-ID: <BANLkTikAd0gbN2x8cWQQRZXwehugCE3tXw@mail.gmail.com>
From: Eric Sachs <esachs@google.com>
To: woes@ietf.org
Content-Type: multipart/alternative; boundary="90e6ba308c6a9a94d504a04533d6"
X-System-Of-Record: true
Subject: [woes] Native JWT support in Google App Engine
X-BeenThere: woes@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Web Object Encryption and Signing \(woes\) BOF discussion list" <woes.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/woes>, <mailto:woes-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/woes>
List-Post: <mailto:woes@ietf.org>
List-Help: <mailto:woes-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/woes>, <mailto:woes-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 19:41:24 -0000
Google has just added native support for JWT to Google App Engine. Here is the documentation: https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app Our hope is to work with other players in the cloud computing space to improve some elements of cloud security by using PKI, JWT & OAuth2 for interop between our systems. Based on past industry discussion, we wroteup a description of some of the general interop use-cases: https://sites.google.com/site/oauthgoog/robotaccounts/cloudtoonpremise https://sites.google.com/site/oauthgoog/robotaccounts/onpremisetocloud While this new feature in Google App Engine is a significant step for Google, we realize there is more to do on our side such as adding support for JWT assertions in our recently announced OAuth2 support for Google APIs<http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html>. However we would prefer to get feedback from this group on a standard approach, including around key rotation/management. Eric Sachs Senior Product Manager, Internet Identity Google