Hi Neil,
If I understand correctly the RFC already allows the use of Bearer
authentication scheme for Proxy authentication and it is more an implementation
question ?
Thank you
Markus
From: Neil Madden
Sent: Tuesday, January 31, 2023 10:32 AM
To: Warren Parad
Cc: Markus ; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAUTH for Web Proxy authentication
Right - RFC 6750 doesn't explicitly define how to send an access token with the
Proxy-Authorization/Proxy-Authenticate headers, but states:
The Bearer authentication scheme is intended primarily for
server authentication using the WWW-Authenticate and Authorization
HTTP headers but does not preclude its use for proxy authentication.
As far as I'm aware you can use it in a straightforward way with those headers
for proxy auth, the same as for any other HTTP auth scheme (i.e., literally
just rename the headers in the examples).
I think the sticking point will be how browsers respond to a Proxy-Authenticate
header with scheme Bearer. I guess not very well, given that they won't know
where the AS is. You'd need something like UMA's as_uri hint in the challenge
and then you'd need to get browsers to implement that.
It's not really clear what OAuth adds to this scenario anyway - there's no
scope restriction going on, right? These days I guess most proxy usage is a
single CONNECT and then its just a dumb tunnel for encrypted traffic - unless
you're doing TLS interception, in which case I think the IETF and browser
vendors won't be very interested - see e.g. RFC 7258 (Pervasive Monitoring Is
an Attack).
-- Neil
On 31 Jan 2023, at 09:47, Warren Parad <wparad=40rhosys...@dmarc.ietf.org>
wrote:
Markus could you shed some light on how this would be different from the
normal OAuth flow between any resource server and the user agent? Proxies today
could already start accepting OAuth authorization following the OAuth spec,
right?
On Tue, Jan 31, 2023 at 12:48 AM Markus <mar...@moeller.plus.com> wrote:
Hi Rifaat,
Right now a browser uses either basic , NTLM, Kerberos or Negotiate
authentication to a proxy which are all old methods and not anymore appropriate
with Microsoft AD moving to Azure AD. Other methods like OAUTH might now be
more appropriate assuming enterprises still require proxy based controls at
their borders to the Internet.
Regards
Markus
From: Rifaat Shekh-Yusef
Sent: Monday, January 30, 2023 6:12 PM
To: Markus
Cc: oauth@ietf.org ; George Fletcher
Subject: Re: [OAUTH-WG] OAUTH for Web Proxy authentication
Hi Markus,
As Goerge mentioned, there is no such document that covers this.
What use case(s) do you have in mind for this?
Regards,
Rifaat
On Sat, Jan 28, 2023 at 7:50 PM Markus <mar...@moeller.plus.com> wrote:
Thank you.
Regards
Markus
From: George Fletcher
Sent: Saturday, January 28, 2023 1:43 PM
To: Markus; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAUTH for Web Proxy authentication
To my knowledge that spec doesn't exist. I'll let others chime in if they
have seen a proposal in that regard.
In regards to which working group, given the core topic is OAuth
authorization, I would present it here at a minimum.
Thanks,
George
On 1/22/23 7:06 AM, Markus PlusNet wrote:
Dear WG,
I am new to oauth and wonder which WG would be responsible for
reviewing a Spec for Proxy authentication
https://httpwg.org/specs/rfc9110.html#auth.client.proxy using oauth or does
that spec already exist ?
Thank you
Markus
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
