Re: [woes] Preview of Google API support for OAuth2 assertion flow
Eric Sachs <esachs@google.com> Tue, 17 May 2011 19:53 UTC
Return-Path: <esachs@google.com>
X-Original-To: woes@ietfa.amsl.com
Delivered-To: woes@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73C1BE0783 for <woes@ietfa.amsl.com>; Tue, 17 May 2011 12:53:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.976
X-Spam-Level:
X-Spam-Status: No, score=-105.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id goHRk0TJNqKo for <woes@ietfa.amsl.com>; Tue, 17 May 2011 12:53:08 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id 91CBAE0798 for <woes@ietf.org>; Tue, 17 May 2011 12:53:04 -0700 (PDT)
Received: from hpaq11.eem.corp.google.com (hpaq11.eem.corp.google.com [172.25.149.11]) by smtp-out.google.com with ESMTP id p4HJr37K012393 for <woes@ietf.org>; Tue, 17 May 2011 12:53:03 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1305661983; bh=AveHm971QV8Dxa7QhnzZolw3oqM=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=MRDZDYqDvwV81whws7+Ou63tRZefZ1R1fn0G0ZjodVsQNTB6dY1Dh2S0wg9p/VnuD yRwwzJ35KVAuKqmf9m78Q==
Received: from yic13 (yic13.prod.google.com [10.243.65.141]) by hpaq11.eem.corp.google.com with ESMTP id p4HJqLc7025064 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <woes@ietf.org>; Tue, 17 May 2011 12:53:02 -0700
Received: by yic13 with SMTP id 13so293788yic.3 for <woes@ietf.org>; Tue, 17 May 2011 12:53:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=MpBN+GO/rBNB7sKoa/6m9e4WHVR0wgbIyaB0yU+VBXQ=; b=ZC81a3uP4Gl4sSFM+ZBWL/H9VR8piHuQFW2LvelT+hLekeD2PW4L0sWZORoKXGG8nI Fd10oDuoMNkH4vYw8RHQ==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=IszFgsxiqkHR2zs9Sp5+b0ojBt5HJjfFdzpl2QCcJ6vCWnSuDrabaSImxTEUdj6xdp QIqc+FCYZQ7dpFJE1rHQ==
MIME-Version: 1.0
Received: by 10.150.55.10 with SMTP id d10mr783381yba.21.1305661981170; Tue, 17 May 2011 12:53:01 -0700 (PDT)
Received: by 10.151.85.7 with HTTP; Tue, 17 May 2011 12:53:01 -0700 (PDT)
In-Reply-To: <C9F80500.19B8D%cmortimore@salesforce.com>
References: <BANLkTim=Zum0CN=xoAGTrm6NgUM8GG7T+w@mail.gmail.com> <C9F80500.19B8D%cmortimore@salesforce.com>
Date: Tue, 17 May 2011 21:53:01 +0200
Message-ID: <BANLkTinK6PLOfiPtA17S58xLY77OM5D0Yw@mail.gmail.com>
From: Eric Sachs <esachs@google.com>
To: Chuck Mortimore <cmortimore@salesforce.com>
Content-Type: multipart/alternative; boundary="000e0cd61a08959c8104a37e1ef0"
X-System-Of-Record: true
Cc: Jian Cai ☑ <jcai@google.com>, "woes@ietf.org" <woes@ietf.org>
Subject: Re: [woes] Preview of Google API support for OAuth2 assertion flow
X-BeenThere: woes@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Web Object Encryption and Signing \(woes\) BOF discussion list" <woes.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/woes>, <mailto:woes-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/woes>
List-Post: <mailto:woes@ietf.org>
List-Help: <mailto:woes-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/woes>, <mailto:woes-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 May 2011 19:53:09 -0000
>> I’m hoping to have some community review in person at the interim meeting on Monday – will you be there? Unfortunately I will not be able to attend the Monday IETF OAuth meeting. Currently only Marius from Google is attending, however Jian is going to see if he can join Marius. As to your technical questions, I will let Jian answer. On Tue, May 17, 2011 at 7:57 PM, Chuck Mortimore <cmortimore@salesforce.com>wrote: > Hi Eric – we’re currently implementing these flows, and I’m working on a > draft to capture both these flows and I’m hoping to have some community > review in person at the interim meeting on Monday – will you be there? > > Also, a few questions on what you’ve implemented > > > - You don’t seem to ever have a “prn” defined in your JWT – what was > the reasoning behind this? > - The URL for the for the keys are explicitly registered on your side, > and never carried in a “jku” or “x5u” field...is that correct? (Note that > we’re starting with statically configured PEM certs ) > - scope – my current thinking is that since this is the token endpoint, > authorization has already occurred. It seems like scope should be optional > and only used to downgrade capabilities. What is google’s thinking? > - In your client authentication flow, you never declare the assertion > type – was this intentionally omitted? > > > -cmort > > > On 5/16/11 6:12 PM, "Eric Sachs" <esachs@google.com> wrote: > > Last month we announced support for Google App Engine apps to create signed > JWTs, such as for use in an OAuth2 assertion flows. We are now providing a > preview of the ability for developers to make API calls to Google using > OAuth2 assertions in JWT format. The documentation (including pointers to > sample apps and their source code) is at: > > https://sites.google.com/site/oauthgoog/Home/google-oauth2-assertion-flow > > As we discussed at the InternetIdentityWorkshop, we are interested in > working with vendors in interop using these techniques. > > > > ---------- Forwarded message ---------- > From: *Eric Sachs* <esachs@google.com> > Date: Wed, Apr 6, 2011 at 12:43 PM > Subject: Native JWT support in Google App Engine > To: woes@ietf.org > > > Google has just added native support for JWT to Google App Engine. Here is > the documentation: > > https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app > > Our hope is to work with other players in the cloud computing space to > improve some elements of cloud security by using PKI, JWT & OAuth2 for > interop between our systems. > > Based on past industry discussion, we wroteup a description of some of the > general interop use-cases: > > https://sites.google.com/site/oauthgoog/robotaccounts/cloudtoonpremise > https://sites.google.com/site/oauthgoog/robotaccounts/onpremisetocloud > > While this new feature in Google App Engine is a significant step for > Google, we realize there is more to do on our side such as adding support > for JWT assertions in our recently announced OAuth2 support for Google APIs > < > http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html> > . However we would prefer to get feedback from this group on a standard > approach, including around key rotation/management. > > > Eric Sachs > Senior Product Manager, Internet Identity > Google > > >
- [woes] Preview of Google API support for OAuth2 a… Eric Sachs
- Re: [woes] Preview of Google API support for OAut… Chuck Mortimore
- Re: [woes] Preview of Google API support for OAut… Eric Sachs
- Re: [woes] Preview of Google API support for OAut… Chuck Mortimore