Right - RFC 6750 doesn't explicitly define how to send an access token with the Proxy-Authorization/Proxy-Authenticate headers, but states:
The Bearer authentication scheme is intended primarily for server authentication using the WWW-Authenticate and Authorization HTTP headers but does not preclude its use for proxy authentication. As far as I'm aware you can use it in a straightforward way with those headers for proxy auth, the same as for any other HTTP auth scheme (i.e., literally just rename the headers in the examples). I think the sticking point will be how browsers respond to a Proxy-Authenticate header with scheme Bearer. I guess not very well, given that they won't know where the AS is. You'd need something like UMA's as_uri hint in the challenge and then you'd need to get browsers to implement that. It's not really clear what OAuth adds to this scenario anyway - there's no scope restriction going on, right? These days I guess most proxy usage is a single CONNECT and then its just a dumb tunnel for encrypted traffic - unless you're doing TLS interception, in which case I think the IETF and browser vendors won't be very interested - see e.g. RFC 7258 (Pervasive Monitoring Is an Attack). -- Neil > On 31 Jan 2023, at 09:47, Warren Parad <wparad=40rhosys...@dmarc.ietf.org> > wrote: > > Markus could you shed some light on how this would be different from the > normal OAuth flow between any resource server and the user agent? Proxies > today could already start accepting OAuth authorization following the OAuth > spec, right? > > On Tue, Jan 31, 2023 at 12:48 AM Markus <mar...@moeller.plus.com > <mailto:mar...@moeller.plus.com>> wrote: > Hi Rifaat, > > Right now a browser uses either basic , NTLM, Kerberos or Negotiate > authentication to a proxy which are all old methods and not anymore > appropriate with Microsoft AD moving to Azure AD. Other methods like OAUTH > might now be more appropriate assuming enterprises still require proxy based > controls at their borders to the Internet. > > Regards > Markus > > From: Rifaat Shekh-Yusef <> > Sent: Monday, January 30, 2023 6:12 PM > To: Markus <> > Cc: oauth@ietf.org <> ; George Fletcher <> > Subject: Re: [OAUTH-WG] OAUTH for Web Proxy authentication > > Hi Markus, > > As Goerge mentioned, there is no such document that covers this. > What use case(s) do you have in mind for this? > > Regards, > Rifaat > > > On Sat, Jan 28, 2023 at 7:50 PM Markus <mar...@moeller.plus.com <>> wrote: > Thank you. > > Regards > Markus > From: George Fletcher <> > Sent: Saturday, January 28, 2023 1:43 PM > To: Markus; oauth@ietf.org <> > Subject: Re: [OAUTH-WG] OAUTH for Web Proxy authentication > > To my knowledge that spec doesn't exist. I'll let others chime in if they > have seen a proposal in that regard. > > In regards to which working group, given the core topic is OAuth > authorization, I would present it here at a minimum. > > Thanks, > George > > On 1/22/23 7:06 AM, Markus PlusNet wrote: >> Dear WG, >> >> I am new to oauth and wonder which WG would be responsible for reviewing >> a Spec for Proxy authentication >> https://httpwg.org/specs/rfc9110.html#auth.client.proxy >> <https://httpwg.org/specs/rfc9110.html#auth.client.proxy> using oauth or >> does that spec already exist ? >> >> Thank you >> Markus >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
