Re: [OAUTH-WG] prompt parameter for Authorization Request
I don't think it actually makes sense in core anyway, because there are flows where there's no user interaction and such a parameter doesn't make any sense. This is the kind of thing that would fit really well with the UX extension that David put up two years ago: http://tools.ietf.org/html/draft-recordon-oauth-v2-ux-00 As far as I know, nobody's picked it up or stated that they intend to keep bringing it forward as its own extension, but OIDC has picked up the display parameter and extended the context with the prompt parameter (among others). -- Justin On Sep 13, 2012, at 4:36 PM, Lewis Adam-CAL022 wrote: Hi, OpenID Connect defines a parameter for the Authorization Request that I really like a lot, the prompt parameter which can force the AS to re-challenge the user for primary authentication. This would be a nice feature to have for OAuth too. I have some high assurance use cases where my resource servers will require a certain “freshness” of the access token. The RS will only accept a AT within a certain lifetime (say for example 1hr). If a client presents an AT to the RS that was minted over 1hr ago, the RS (via its RESTful API) will return an error message indicating such to the client. Further, the RS requires explicit re-authentication of the end user (by the AS) to obtain a new token. However, if the UA still has an active session with the AS, the AS will not know to re-prompt for primary auth. Hence having a PROMPT parameter in OAuth would be ideal. Obviously, the train has left the station in terms of the core draft. But I’m wondering if anybody else has come across such use cases before? Tx adam ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] prompt parameter for Authorization Request
Adam, In your use case, how does AS request user re-authentication? In OAuth the user agent is redirected back to the Client after the user has authorized the client. The AS is a web server and cannot initiate a call to the user agent. I assume that the request to re-authenticate comes in a response from RS to the Client, and then the Client in a response to the user agent re-directs the user agent back to the AS for another round of authentication and authorization. Is this correct? I would like to learn more about your use case. Do you have a pointer to a description? Zachary Original Message Subject: [OAUTH-WG] prompt parameter for Authorization Request Date: Thu, 13 Sep 2012 20:36:13 + From: Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com To: oauth@ietf.orgmailto:oauth@ietf.org oauth@ietf.orgmailto:oauth@ietf.org Hi, OpenID Connect defines a parameter for the Authorization Request that I really like a lot, the prompt parameter which can force the AS to re-challenge the user for primary authentication. This would be a nice feature to have for OAuth too. I have some high assurance use cases where my resource servers will require a certain freshness of the access token. The RS will only accept a AT within a certain lifetime (say for example 1hr). If a client presents an AT to the RS that was minted over 1hr ago, the RS (via its RESTful API) will return an error message indicating such to the client. Further, the RS requires explicit re-authentication of the end user (by the AS) to obtain a new token. However, if the UA still has an active session with the AS, the AS will not know to re-prompt for primary auth. Hence having a PROMPT parameter in OAuth would be ideal. Obviously, the train has left the station in terms of the core draft. But I'm wondering if anybody else has come across such use cases before? Tx adam ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-assertions-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : Assertion Framework for OAuth 2.0 Author(s) : Brian Campbell Chuck Mortimore Michael B. Jones Yaron Y. Goland Filename: draft-ietf-oauth-assertions-06.txt Pages : 22 Date: 2012-09-14 Abstract: This specification provides a framework for the use of assertions with OAuth 2.0 in the form of a new client authentication mechanism and a new authorization grant type. Mechanisms are specified for transporting assertions during interactions with a token endpoint, as well as general processing rules. The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions, and to provide alternative client authentication mechanisms. Note that this specification only defines abstract message flows and processing rules. In order to be implementable, companion specifications are necessary to provide the corresponding concrete instantiations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-assertions-06 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-assertions-06 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bearer-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 Author(s) : Michael B. Jones Brian Campbell Chuck Mortimore Filename: draft-ietf-oauth-jwt-bearer-02.txt Pages : 11 Date: 2012-09-14 Abstract: This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-02 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bearer-02 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-saml2-bearer-14.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 Author(s) : Brian Campbell Chuck Mortimore Filename: draft-ietf-oauth-saml2-bearer-14.txt Pages : 17 Date: 2012-09-14 Abstract: This specification defines the use of a SAML 2.0 Bearer Assertion as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-14 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-saml2-bearer-14 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] New assertion drafts published
New versions of the three OAuth assertion related drafts have been published. The documents are available in the usual locations: Assertion Framework for OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-assertions-06 SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-14 JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-02 Text was added to the introduction of all three further explaining that an assertion grant type can be used with or without client authentication/identification and that client assertion authentication is nothing more than an alternative way for a client to authenticate to the token endpoint. Two new examples were added to each of the JWT and SAML drafts. References were updated in all three. Hopefully now draft-ietf-oauth-assertions-06 and draft-ietf-oauth-saml2-bearer-14 are ready to go to WGLC. Thanks to Mike Jones for the preliminary review and updates/fixes. Regards, Brian Campbell ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth