Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

Tue, 29 Jul 2014 18:18:28 -0700 

Mike's proposal may be sufficient for Thomas' case given a small token 
lifetime. 

The federated cases may have other issues....

How does the RS know who issued the opaque token and what introspection point 
is authoritative? 

I am not saying your spec is not the right answer. I am just not prepared to 
limit functionality yet by adopting the draft until we have sufficient 
requirements understood. 

Let the rest of us catch up please. 

Phil

> On Jul 29, 2014, at 18:07, Justin Richer <jric...@mit.edu> wrote:
> 
> So you want a service where the RS can call an HTTP endpoint to see if the 
> token is alive or not? That sounds like an awesome idea! Very useful for a 
> variety of use cases that people have already mentioned on that list. Maybe 
> that service should respond in JSON with, say, { "active": true } if it's 
> still valid. That's a great start, and that should obviously be MTI.
> 
> But while we're there, we probably want to know what else the token is for, 
> since this service will probably know that, so let's add in the "scope" and 
> "client_id" and whatever other meta-information we have about the token. If 
> this endpoint doesn't have that information? Well then, I guess it can't 
> return it. So we need to make sure to be flexible about that while we define 
> a common core set of semantics. Flexibility like that is very powerful and 
> could be used in a variety of protocols and deployments across domains and 
> vendors.
> 
> You know, this idea is sounding better and better. In fact, I'll do you one 
> better. I think this is such a fantastic idea that I wrote it all down in RFC 
> format:
> 
> http://tools.ietf.org/html/draft-richer-oauth-introspection-06
> 
> Glad to have you on board, Phil.
> 
>  -- Justin
> 
>> On 7/29/2014 9:02 PM, Phil Hunt wrote:
>> I think one alternative to an introspection service is a revocation status 
>> service. 
>> 
>> But it is often not needed if token lifetimes are small (minutes / session 
>> life) compared to the refresh token which might last much longer. 
>> 
>> Again having info on the case helps explain the requirements of your case 
>> and we can tell what the best pattern is. 
>> 
>> Phil
>> 
>> On Jul 29, 2014, at 17:55, Thomas Broyer <t.bro...@gmail.com> wrote:
>> 
>>> Try it where? When you're the RS trying to determine whether you should 
>>> accept the token or reject it?
>>> 
>>> Le 30 juil. 2014 02:49, "Mike Jones" <michael.jo...@microsoft.com> a écrit :
>>>> Yes, but that’s the simplest thing to determine – try the token and see 
>>>> whether it works or not.
>>>> 
>>>>  
>>>> 
>>>> From: Thomas Broyer [mailto:t.bro...@gmail.com] 
>>>> Sent: Tuesday, July 29, 2014 5:43 PM
>>>> To: Mike Jones
>>>> Cc: <oauth@ietf.org>; George Fletcher; Phil Hunt
>>>> Subject: RE: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token 
>>>> Introspection" as an OAuth Working Group Item
>>>> 
>>>>  
>>>> 
>>>> Decoding a token with a specific format wouldn't tell you whether the 
>>>> token is still live: it could have been revoked before its expiration.
>>>> 
>>>> Le 30 juil. 2014 02:16, "Mike Jones" <michael.jo...@microsoft.com> a écrit 
>>>> :
>>>> 
>>>> Did you consider standardizing the access token format within that 
>>>> deployment so all the parties that needed to could understand it, rather 
>>>> requiring an extra round trip to an introspection endpoint so as to be 
>>>> able to understand things about it?
>>>> 
>>>>  
>>>> 
>>>> I realize that might or might not be practical in some cases, but I 
>>>> haven’t heard that alternative discussed, so I thought I’d bring it up.
>>>> 
>>>>  
>>>> 
>>>> I also second Phil’s comment that it would be good to understand the use 
>>>> cases that this is intended to solve before embarking on a particular 
>>>> solution path.
>>>> 
>>>>  
>>>> 
>>>>                                                                            
>>>>              -- Mike
>>>> 
>>>>  
>>>> 
>>>> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of George Fletcher
>>>> Sent: Tuesday, July 29, 2014 3:25 PM
>>>> To: Phil Hunt; Thomas Broyer
>>>> Cc: oauth@ietf.org
>>>> Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token 
>>>> Introspection" as an OAuth Working Group Item
>>>> 
>>>>  
>>>> 
>>>> We also have a use case where the AS is provided by a partner and the RS 
>>>> is provided by AOL. Being able to have a standardized way of validating 
>>>> and getting data about the token from the AS would make our implementation 
>>>> much simpler as we can use the same mechanism for all Authorization 
>>>> Servers and not have to implement one off solutions for each AS.
>>>> 
>>>> Thanks,
>>>> George
>>>> 
>>>> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>>>> 
>>>> Could we have some discussion on the interop cases?
>>>> 
>>>>  
>>>> 
>>>> Is it driven by scenarios where AS and resource are separate domains? Or 
>>>> may this be only of interest to specific protocols like UMA?
>>>> 
>>>>  
>>>> 
>>>> From a technique principle, the draft is important and sound. I am just 
>>>> not there yet on the reasons for an interoperable standard. 
>>>> 
>>>>  
>>>> 
>>>> Phil
>>>> 
>>>> 
>>>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.bro...@gmail.com> wrote:
>>>> 
>>>> Yes. This spec is of special interest to the platform we're building for 
>>>> http://www.oasis-eu.org/
>>>> 
>>>>  
>>>> 
>>>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig 
>>>> <hannes.tschofe...@gmx.net> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> during the IETF #90 OAuth WG meeting, there was strong consensus in
>>>> adopting the "OAuth Token Introspection"
>>>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
>>>> work item.
>>>> 
>>>> We would now like to verify the outcome of this call for adoption on the
>>>> OAuth WG mailing list. Here is the link to the document:
>>>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>>> 
>>>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
>>>> as to the suitability of adopting this document as a WG work item,
>>>> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>>>> 
>>>> The confirmation call for adoption will last until August 10, 2014.  If
>>>> you have issues/edits/comments on the document, please send these
>>>> comments along to the list in your response to this Call for Adoption.
>>>> 
>>>> Ciao
>>>> Hannes & Derek
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>>  
>>>> 
>>>> -- 
>>>> Thomas Broyer
>>>> /tɔ.ma.bʁwa.je/
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to