Re: [OAUTH-WG] Resource owner initiated OAuth delegation

2012-10-07 Thread Prabath Siriwardena 
Hi Zhou,

Even though client_id is public that needs to be passed from the
Authorization Server to the Resource Server. This does not happen in the
normal OAuth flow. It only returns back the access_token.

Please let me know if you need any further clarifications...

Thanks & regards,
-Prabath

On Sun, Oct 7, 2012 at 8:03 PM,  wrote:

>
> Hi,Prabath
>
>  I have read your proposal, and have some questions:
>
>   why RS needs to get access token in client register stage;
>   and why RS needs to get client-id from AS by exchanging access token
> (isn't client-id public?)
>
>
>
>  *Prabath Siriwardena *
>
> 2012-10-08 09:50
>   收件人
> zhou.suj...@zte.com.cn
> 抄送
> Eve Maler , oauth@ietf.org, oauth-boun...@ietf.org
> 主题
> Re: Re: [OAUTH-WG] Resource owner initiated OAuth delegation
>
>
>
>
> Hi Zhou,
>
> Nice to see some common interest on this. Sure I will go through your
> proposal.
>
> Please find my proposal here [1]. I've added there the complete token
> flow, introducing a new grant type.
>
> [1]: *
> http://blog.facilelogin.com/2012/10/proposal-resource-owner-initiated.html
> *
>
> Thanks & regards,
> -Prabath
>
> On Sun, Oct 7, 2012 at 6:24 PM, 
> <*zhou.suj...@zte.com.cn*>
> wrote:
>
> Hi,  Praba
>
>  I am also thinking on this subject, and published a draft on it. *
> **http://tools.ietf.org/id/draft-zhou-oauth-owner-auth-00.txt*
>  I'd like to have your opinion.
>
>
>   *Prabath Siriwardena <**prab...@wso2.com* *>*
> 发件人:  *oauth-boun...@ietf.org* 
>
> 2012-10-08 08:08
>
>   收件人
> Eve Maler <*e...@xmlgrrl.com* >
> 抄送
> *oauth@ietf.org* 
> 主题
> Re: [OAUTH-WG] Resource owner initiated OAuth delegation
>
>
>
>
>
>
> Hi Eve,
>
> Thanks for pointers.. I've been following the work done in UMA.. Sure..
> will join the webinar...
>
> BTW .. I am not quite sure UMA addresses my use case. Even in the case of
> UMA it's client initiated or requestor initiated...
>
> Please correct me if I am wrong... but in OAuth specification there is no
> restrictions to identify the 'client' as a person, organization or as him
> self..
>
> In my view - this is an extended grant type..which has two phases..
>
> 1. Resource owner grants access to a selected a Client
> 2. Client requests the already available access token for him from the
> Authorization Server.[just like passing the refresh_token]
>
> WDYT ?
>
> Thanks & regards,
> -Prabath
>
> On Sun, Oct 7, 2012 at 11:05 AM, Eve Maler 
> <*e...@xmlgrrl.com*>
> wrote:
> Hi Prabath,
>
> As far as I know, OAuth itself generally isn't used to let one human
> resource owner delegate access to a different human resource owner.
> However, UMA (which leverages OAuth) does strive to solve exactly this use
> case, among other similar ones; we call this one "person-to-person
> sharing", and you can read more about it here: *
> http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1*
>
> The UMA flow at run time still ends up being effectively
> "client-initiated" (we would say requesting-party-initiated, using a
> requester app) because the original resource owner (we call it an
> authorizing party) is no longer around by then. The authz party would set
> up policies at some point before going on vacation, and these polices would
> enable the requesting party to "qualify in" for access at run time, by
> supplying identity claims that get used in an authorization check by the
> authz server (authz manager).
>
> We'll be walking through UMA flows and demoing an extensive use case at a
> webinar on Wed, Oct 17. More info is here: 
> *http://tinyurl.com/umawg*
>
> Hope this helps,
>
>Eve
>
> On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena 
> <*prab...@wso2.com*>
> wrote:
>
> > Hi folks,
> >
> > I would like to know your thoughts on the $subject..
> >
> > For me it looks like a concrete use case where OAuth conceptually does
> > address - but protocol does not well defined..
> >
> > Please find [1] for further details...
> >
> > [1]: *
> http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html
> *
> >
> > --
> > Thanks & Regards,
> > Prabath
> >
> > Mobile : *+94 71 809 6732* <%2B94%2071%20809%206732>
> >
> > *http://blog.facilelogin.com* 
> > *http://RampartFAQ.com* 
> > ___
> > OAuth mailing list
> > *OAuth@ietf.org* 
> > *https://www.ietf.org/mailman/listinfo/oauth*
>
>
> Eve Maler  
> *http://www.xmlgrrl.com/blog*
> *
> **+1 425 345 6756* <%2B1%20425%20345%206756> *
> http://www.twitter.com/xmlgrrl*

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

2012-10-07 Thread zhou . sujing 
Hi,Prabath

 I have read your proposal, and have some questions:

  why RS needs to get access token in client register stage;
  and why RS needs to get client-id from AS by exchanging access token 
(isn't client-id public?)
 



Prabath Siriwardena  
2012-10-08 09:50

收件人
zhou.suj...@zte.com.cn
抄送
Eve Maler , oauth@ietf.org, oauth-boun...@ietf.org
主题
Re: Re: [OAUTH-WG] Resource owner initiated OAuth delegation






Hi Zhou,

Nice to see some common interest on this. Sure I will go through your 
proposal.

Please find my proposal here [1]. I've added there the complete token 
flow, introducing a new grant type.

[1]: 
http://blog.facilelogin.com/2012/10/proposal-resource-owner-initiated.html

Thanks & regards,
-Prabath

On Sun, Oct 7, 2012 at 6:24 PM,  wrote:

Hi,  Praba 

  I am also thinking on this subject, and published a draft on it. 
http://tools.ietf.org/id/draft-zhou-oauth-owner-auth-00.txt 
  I'd like to have your opinion. 
 



Prabath Siriwardena  
发件人:  oauth-boun...@ietf.org 
2012-10-08 08:08 


收件人
Eve Maler  
抄送
oauth@ietf.org 
主题
Re: [OAUTH-WG] Resource owner initiated OAuth delegation








Hi Eve, 

Thanks for pointers.. I've been following the work done in UMA.. Sure.. 
will join the webinar... 

BTW .. I am not quite sure UMA addresses my use case. Even in the case of 
UMA it's client initiated or requestor initiated... 

Please correct me if I am wrong... but in OAuth specification there is no 
restrictions to identify the 'client' as a person, organization or as him 
self.. 

In my view - this is an extended grant type..which has two phases.. 

1. Resource owner grants access to a selected a Client 
2. Client requests the already available access token for him from the 
Authorization Server.[just like passing the refresh_token] 

WDYT ? 

Thanks & regards, 
-Prabath 

On Sun, Oct 7, 2012 at 11:05 AM, Eve Maler  wrote: 
Hi Prabath,

As far as I know, OAuth itself generally isn't used to let one human 
resource owner delegate access to a different human resource owner. 
However, UMA (which leverages OAuth) does strive to solve exactly this use 
case, among other similar ones; we call this one "person-to-person 
sharing", and you can read more about it here: 
http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1

The UMA flow at run time still ends up being effectively 
"client-initiated" (we would say requesting-party-initiated, using a 
requester app) because the original resource owner (we call it an 
authorizing party) is no longer around by then. The authz party would set 
up policies at some point before going on vacation, and these polices 
would enable the requesting party to "qualify in" for access at run time, 
by supplying identity claims that get used in an authorization check by 
the authz server (authz manager).

We'll be walking through UMA flows and demoing an extensive use case at a 
webinar on Wed, Oct 17. More info is here: http://tinyurl.com/umawg

Hope this helps,

Eve 

On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena  wrote:

> Hi folks,
>
> I would like to know your thoughts on the $subject..
>
> For me it looks like a concrete use case where OAuth conceptually does
> address - but protocol does not well defined..
>
> Please find [1] for further details...
>
> [1]: 
http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html

>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler  http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl





-- 
Thanks & Regards,
Prabath 

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com 
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

2012-10-07 Thread Prabath Siriwardena 
Hi Zhou,

Nice to see some common interest on this. Sure I will go through your
proposal.

Please find my proposal here [1]. I've added there the complete token flow,
introducing a new grant type.

[1]:
http://blog.facilelogin.com/2012/10/proposal-resource-owner-initiated.html

Thanks & regards,
-Prabath

On Sun, Oct 7, 2012 at 6:24 PM,  wrote:

>
> Hi,  Praba
>
>   I am also thinking on this subject, and published a draft on it.
> http://tools.ietf.org/id/draft-zhou-oauth-owner-auth-00.txt
>   I'd like to have your opinion.
>
>
>
>  *Prabath Siriwardena *
> 发件人:  oauth-boun...@ietf.org
>
> 2012-10-08 08:08
>   收件人
> Eve Maler 
> 抄送
> oauth@ietf.org
> 主题
> Re: [OAUTH-WG] Resource owner initiated OAuth delegation
>
>
>
>
> Hi Eve,
>
> Thanks for pointers.. I've been following the work done in UMA.. Sure..
> will join the webinar...
>
> BTW .. I am not quite sure UMA addresses my use case. Even in the case of
> UMA it's client initiated or requestor initiated...
>
> Please correct me if I am wrong... but in OAuth specification there is no
> restrictions to identify the 'client' as a person, organization or as him
> self..
>
> In my view - this is an extended grant type..which has two phases..
>
> 1. Resource owner grants access to a selected a Client
> 2. Client requests the already available access token for him from the
> Authorization Server.[just like passing the refresh_token]
>
> WDYT ?
>
> Thanks & regards,
> -Prabath
>
> On Sun, Oct 7, 2012 at 11:05 AM, Eve Maler 
> <*e...@xmlgrrl.com*>
> wrote:
> Hi Prabath,
>
> As far as I know, OAuth itself generally isn't used to let one human
> resource owner delegate access to a different human resource owner.
> However, UMA (which leverages OAuth) does strive to solve exactly this use
> case, among other similar ones; we call this one "person-to-person
> sharing", and you can read more about it here: *
> http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1*
>
> The UMA flow at run time still ends up being effectively
> "client-initiated" (we would say requesting-party-initiated, using a
> requester app) because the original resource owner (we call it an
> authorizing party) is no longer around by then. The authz party would set
> up policies at some point before going on vacation, and these polices would
> enable the requesting party to "qualify in" for access at run time, by
> supplying identity claims that get used in an authorization check by the
> authz server (authz manager).
>
> We'll be walking through UMA flows and demoing an extensive use case at a
> webinar on Wed, Oct 17. More info is here: 
> *http://tinyurl.com/umawg*
>
> Hope this helps,
>
> Eve
>
> On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena 
> <*prab...@wso2.com*>
> wrote:
>
> > Hi folks,
> >
> > I would like to know your thoughts on the $subject..
> >
> > For me it looks like a concrete use case where OAuth conceptually does
> > address - but protocol does not well defined..
> >
> > Please find [1] for further details...
> >
> > [1]: *
> http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html
> *
> >
> > --
> > Thanks & Regards,
> > Prabath
> >
> > Mobile : *+94 71 809 6732* <%2B94%2071%20809%206732>
> >
> > *http://blog.facilelogin.com* 
> > *http://RampartFAQ.com* 
> > ___
> > OAuth mailing list
> > *OAuth@ietf.org* 
> > *https://www.ietf.org/mailman/listinfo/oauth*
>
>
> Eve Maler  
> *http://www.xmlgrrl.com/blog*
> *
> **+1 425 345 6756* <%2B1%20425%20345%206756> *
> http://www.twitter.com/xmlgrrl* 
>
>
>
>
>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
> *
> **http://blog.facilelogin.com* *
> **http://RampartFAQ.com* 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://RampartFAQ.com
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

2012-10-07 Thread zhou . sujing 
Hi,  Praba

  I am also thinking on this subject, and published a draft on it.
http://tools.ietf.org/id/draft-zhou-oauth-owner-auth-00.txt
  I'd like to have your opinion.
 



Prabath Siriwardena  
发件人:  oauth-boun...@ietf.org
2012-10-08 08:08

收件人
Eve Maler 
抄送
oauth@ietf.org
主题
Re: [OAUTH-WG] Resource owner initiated OAuth delegation






Hi Eve,

Thanks for pointers.. I've been following the work done in UMA.. Sure.. 
will join the webinar...

BTW .. I am not quite sure UMA addresses my use case. Even in the case of 
UMA it's client initiated or requestor initiated...

Please correct me if I am wrong... but in OAuth specification there is no 
restrictions to identify the 'client' as a person, organization or as him 
self.. 

In my view - this is an extended grant type..which has two phases..

1. Resource owner grants access to a selected a Client
2. Client requests the already available access token for him from the 
Authorization Server.[just like passing the refresh_token]

WDYT ?

Thanks & regards,
-Prabath 

On Sun, Oct 7, 2012 at 11:05 AM, Eve Maler  wrote:
Hi Prabath,

As far as I know, OAuth itself generally isn't used to let one human 
resource owner delegate access to a different human resource owner. 
However, UMA (which leverages OAuth) does strive to solve exactly this use 
case, among other similar ones; we call this one "person-to-person 
sharing", and you can read more about it here: 
http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1

The UMA flow at run time still ends up being effectively 
"client-initiated" (we would say requesting-party-initiated, using a 
requester app) because the original resource owner (we call it an 
authorizing party) is no longer around by then. The authz party would set 
up policies at some point before going on vacation, and these polices 
would enable the requesting party to "qualify in" for access at run time, 
by supplying identity claims that get used in an authorization check by 
the authz server (authz manager).

We'll be walking through UMA flows and demoing an extensive use case at a 
webinar on Wed, Oct 17. More info is here: http://tinyurl.com/umawg

Hope this helps,

Eve

On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena  wrote:

> Hi folks,
>
> I would like to know your thoughts on the $subject..
>
> For me it looks like a concrete use case where OAuth conceptually does
> address - but protocol does not well defined..
>
> Please find [1] for further details...
>
> [1]: 
http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html

>
> --
> Thanks & Regards,
> Prabath
>
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler  http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl





-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

2012-10-07 Thread Prabath Siriwardena 
Hi Eve,

Thanks for pointers.. I've been following the work done in UMA.. Sure..
will join the webinar...

BTW .. I am not quite sure UMA addresses my use case. Even in the case of
UMA it's client initiated or requestor initiated...

Please correct me if I am wrong... but in OAuth specification there is no
restrictions to identify the 'client' as a person, organization or as him
self..

In my view - this is an extended grant type..which has two phases..

1. Resource owner grants access to a selected a Client
2. Client requests the already available access token for him from the
Authorization Server.[just like passing the refresh_token]

WDYT ?

Thanks & regards,
-Prabath

On Sun, Oct 7, 2012 at 11:05 AM, Eve Maler  wrote:

> Hi Prabath,
>
> As far as I know, OAuth itself generally isn't used to let one human
> resource owner delegate access to a different human resource owner.
> However, UMA (which leverages OAuth) does strive to solve exactly this use
> case, among other similar ones; we call this one "person-to-person
> sharing", and you can read more about it here:
> http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1
>
> The UMA flow at run time still ends up being effectively
> "client-initiated" (we would say requesting-party-initiated, using a
> requester app) because the original resource owner (we call it an
> authorizing party) is no longer around by then. The authz party would set
> up policies at some point before going on vacation, and these polices would
> enable the requesting party to "qualify in" for access at run time, by
> supplying identity claims that get used in an authorization check by the
> authz server (authz manager).
>
> We'll be walking through UMA flows and demoing an extensive use case at a
> webinar on Wed, Oct 17. More info is here: http://tinyurl.com/umawg
>
> Hope this helps,
>
> Eve
>
> On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena  wrote:
>
> > Hi folks,
> >
> > I would like to know your thoughts on the $subject..
> >
> > For me it looks like a concrete use case where OAuth conceptually does
> > address - but protocol does not well defined..
> >
> > Please find [1] for further details...
> >
> > [1]:
> http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html
> >
> > --
> > Thanks & Regards,
> > Prabath
> >
> > Mobile : +94 71 809 6732
> >
> > http://blog.facilelogin.com
> > http://RampartFAQ.com
> > ___
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>
> Eve Maler  http://www.xmlgrrl.com/blog
> +1 425 345 6756 http://www.twitter.com/xmlgrrl
>
>
>


-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://RampartFAQ.com
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

2012-10-07 Thread Eve Maler 
Hi Prabath,

As far as I know, OAuth itself generally isn't used to let one human resource 
owner delegate access to a different human resource owner. However, UMA (which 
leverages OAuth) does strive to solve exactly this use case, among other 
similar ones; we call this one "person-to-person sharing", and you can read 
more about it here: 
http://docs.kantarainitiative.org/uma/draft-uma-trust.html#anchor1

The UMA flow at run time still ends up being effectively "client-initiated" (we 
would say requesting-party-initiated, using a requester app) because the 
original resource owner (we call it an authorizing party) is no longer around 
by then. The authz party would set up policies at some point before going on 
vacation, and these polices would enable the requesting party to "qualify in" 
for access at run time, by supplying identity claims that get used in an 
authorization check by the authz server (authz manager).

We'll be walking through UMA flows and demoing an extensive use case at a 
webinar on Wed, Oct 17. More info is here: http://tinyurl.com/umawg

Hope this helps,

Eve

On 6 Oct 2012, at 10:29 AM, Prabath Siriwardena  wrote:

> Hi folks,
> 
> I would like to know your thoughts on the $subject..
> 
> For me it looks like a concrete use case where OAuth conceptually does
> address - but protocol does not well defined..
> 
> Please find [1] for further details...
> 
> [1]: 
> http://blog.facilelogin.com/2012/10/ationwhat-oauth-lacks-resource-owner.html
> 
> --
> Thanks & Regards,
> Prabath
> 
> Mobile : +94 71 809 6732
> 
> http://blog.facilelogin.com
> http://RampartFAQ.com
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler  http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Agenda for Atlanta Meeting

2012-10-07 Thread Zeltsan, Zachary (Zachary) 
+1

Zachary

-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Phil 
Hunt
Sent: Saturday, October 06, 2012 2:54 PM
To: Torsten Lodderstedt
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Agenda for Atlanta Meeting

+1

Phil

On 2012-10-06, at 10:07, Torsten Lodderstedt  wrote:

> fine for me
> 
> Am 05.10.2012 10:03, schrieb Hannes Tschofenig:
>> Hi all,
>> 
>> here is an agenda proposal for the Atlanta IETF meeting:
>> (The indicated names are proposals.)
>> 
>> --
>> Agenda:
>> 
>> 1. Status Update, Agenda Bashing (Chairs)
>> 2. Token Revocation (Thorsten)
>> 3. Assertions (Brian + Mike)
>> 4. OAuth Use Cases (Zachary)
>> 5. JWT (Mike)
>> 6. Security (Phil)
>> 7. Dynamic Client Registration (Thomas)
>> 8. Roadmap
>> --
>> 
>> In the last item we would like to discuss the bigger picture of how to get 
>> OAuth 2.0 deployment improved. There are at least 2 parts to this, namely 
>> (a) what other specifications do we need to work on, and (b) how do we 
>> improve interoperability.
>> 
>> Let us know whether you think that this fits your needs.
>> 
>> Ciao
>> Hannes & Derek
>> 
>> PS: I am hoping to see daft updates of the WG items soon.
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth