Re: [OAUTH-WG] Using structured access_token as grant type in assertion flow

2012-12-14 Thread Nat Sakimura 
If I understand correctly, there are multiple devices with clients with the
same client_id involved and you want to revoke individual devices when
needed. You also do not want to store the password.

In a sense, the JWT is working like a device specific password with
distributed verifier. This is a valid and potentially a common pattern.

=nat via iPhone

Dec 15, 2012 6:15、Brian Campbell  のメッセージ:

Maybe I'm missing the bigger picture but, if your going back to the same AS
like the diagram shows, why not just request the xyz scope in the initial
request and cut out the middle steps?

More generally I can say I've thought about these kinds of token exchange
cases and they should be possible in theory. In practice I expect getting
everything to work and validate correctly with respect to scopes and
audience values might be a little tricky.


On Mon, Dec 10, 2012 at 7:34 AM, Lewis Adam-CAL022 <
adam.le...@motorolasolutions.com> wrote:

> Hi,
>
> I continue to have an interest in the OAuth assertion profiles for my use
> cases.  I'm wondering if the idea of performing a first OAuth dance which
> returns to the client a structured JWT access token (with scope=AS for
> example) could then be used as the JWT in an assertion grant type?  So
> something like this (I show the RO credential flow since it is the simplest
> to draw, but same idea for the code flow):
>
>
> Client  AS
> |   |
> |>| (authorization request scope=AS, grant_type=RO
> password credentials)
> |   |
> |<| (token response with access_token scoped to AS)
> |   |
> |>| (authorization request, scope=xyz, grant_type=JWT
> assertion as obtained from previous step)
> |   |
> |<| (token response with access token scoped to xyz)
>
>
>
> I suppose there is nothing in theory which should prevent this, but I am
> wondering if anybody else has thought of such a usage.
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Using structured access_token as grant type in assertion flow

2012-12-14 Thread Brian Campbell 
Maybe I'm missing the bigger picture but, if your going back to the same AS
like the diagram shows, why not just request the xyz scope in the initial
request and cut out the middle steps?

More generally I can say I've thought about these kinds of token exchange
cases and they should be possible in theory. In practice I expect getting
everything to work and validate correctly with respect to scopes and
audience values might be a little tricky.


On Mon, Dec 10, 2012 at 7:34 AM, Lewis Adam-CAL022 <
adam.le...@motorolasolutions.com> wrote:

> Hi,
>
> I continue to have an interest in the OAuth assertion profiles for my use
> cases.  I'm wondering if the idea of performing a first OAuth dance which
> returns to the client a structured JWT access token (with scope=AS for
> example) could then be used as the JWT in an assertion grant type?  So
> something like this (I show the RO credential flow since it is the simplest
> to draw, but same idea for the code flow):
>
>
> Client  AS
> |   |
> |>| (authorization request scope=AS, grant_type=RO
> password credentials)
> |   |
> |<| (token response with access_token scoped to AS)
> |   |
> |>| (authorization request, scope=xyz, grant_type=JWT
> assertion as obtained from previous step)
> |   |
> |<| (token response with access token scoped to xyz)
>
>
>
> I suppose there is nothing in theory which should prevent this, but I am
> wondering if anybody else has thought of such a usage.
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Last Call: (Assertion Framework for OAuth 2.0) to Proposed Standard

2012-12-14 Thread Nat Sakimura 
FYI, I have been writing HoK for JWT/JWS Token by introducing a new claim
'cid'.

=nat via iPhone

Dec 14, 2012 11:56、"zhou.suj...@zte.com.cn"  のメッセ�`ジ:


Yep, could do it soon later.

Currently, I suggest a modification for

 "The token service is the assertion issuer; its  role is to fulfill
requests from clients, which present various
 credentials, and mint assertions as requested, fill them with  appropriate
information, and sign them."  (in  section 3 )

into

 "The token service is the assertion issuer, *it could be implemented in
any entity besides client, e.g., Resource Owner, Authorization Server;* its
 role is to fulfill requests from clients, which present various
 credentials, and mint assertions as requested, fill them with  appropriate
information, and sign them."



Chuck Mortimore  写于 2012-12-14 10:44:05:

> Correct.   That said no one has yet profiled it for holder of key
>
> - cmort
>
> On Dec 13, 2012, at 6:39 PM, "zhou.suj...@zte.com.cn" <
zhou.suj...@zte.com.cn
> > wrote:

>
> Oh, But the description of assertion generation in the document
> should not be limited by bear assertion, right?
>
>
> Chuck Mortimore  写于 2012-12-14 10:34:13:
>
> > You want a holder of key pattern.  The draft touches on it
> >
> >
> >The protocol parameters and processing rules defined in this document
> >are intended to support a client presenting a bearer assertion to an
> >authorization server.  The use of holder-of-key assertions are not
> >precluded by this document, but additional protocol details would
> >need to be specified.
>
> >
> > So - if you want this, you should put forth a holder of key
> > profiling of this draft and see if there are any issues.   The only
> > profiles we have thus far are saml and jwt bearer assertions.
> >
> >
> > - cmort
> >
> > On Dec 13, 2012, at 6:27 PM, "zhou.suj...@zte.com.cn"  suj...@zte.com.cn
> > > wrote:
>
> >
> > I am not sure if the following usecase  http://www.ietf.org/mail-
> > archive/web/oauth/current/msg10233.html
> > could be supported by assertion framework,
> > We have some discussion in
> > http://www.ietf.org/mail-archive/web/oauth/current/msg10203.html
> > http://www.ietf.org/mail-archive/web/oauth/current/msg10198.html
> >
> > In my use case or in some other cases, assertions don't need
> > confidential protection,
> > basically STS don't have to authenticate a client before issueing
> > "assertion", if it could be called assertion here.
> >
> > Example,I trust my laywer, I may issue an "assertion" stating
> > delegation in advance, and send to the lawyer when it is needed,
> > it could be I give the assertion to a false lawyer, but it does not
> > matter, because the lawyer has to prove he knows some credential
> > corresponding to his ID,
> > who is delegated some rights.
> >
> > If assertion framework want to support this use case, then
> > generation of assertion should be relaxed,
> > otherwise new work is required to support the use case.
> >
> >
> >
> > Chuck Mortimore  写于 2012-12-14 10:08:34:
> >
> > > On Dec 13, 2012, at 4:30 PM, "zhou.suj...@zte.com.cn"  > suj...@zte.com.cn
> > > > wrote:
> >
> > >
> > > From the language, I got an impression that assertion is only
> > > generated by token service after clients presenting some credentials,
> > > there are may be some cases that "assertion" don't need client's
> > credential.
> > > e.g., Resource owner as a token service  could generate "assertion"
> > > to a client he trusts, bu signing a statement that "This delegation
> > > is given to a client called clinet-id
> > > for doing something for me".
> > >
> > > So how does the STS trust the client?   Presumably if it is trusted
> > > it has some level of authentication, yes?
> > >
> > > -cmort
> > >
> > >
> > >
> > >
> > >
> > > Chuck Mortimore  写于 2012-12-14 00:39:03:
> > >
> > > > The language is simply meant to help illustrate how the framework
> > > > might be used.   How do you think it will restrict usage?   How
> > > > could it be improved?
> > > >
> > > > -cmort
> > > >
> > > > On Dec 12, 2012, at 11:04 PM,  wrote:
> > > >
> > > >
> > > > In "section 3
> > > >  The token service is the assertion issuer; its
> > > >  role is to fulfill requests from clients, which present various
> > > >  credentials, and mint assertions as requested, fill them with
> > > >  appropriate information, and sign them."
> > > >
> > > >
> > > > As I understand, an assertion generated by a STS, is done flollowing
> > > > thess steps:
> > > > 1. Client presents credential and requests an assertion
> > > > 2. STS generates assertion and sends to Client
> > > > Correct?
> > > >
> > > > That may restrict the use cases that this assertion framework
> > > could support,
> > > > is it a must?
> > > >
> > > >
> > > >
> > > >
> > > > oauth-boun...@ietf.org 写于 2012-12-11 02:33:57:
> > > >
> > > > >
> > > > > The IESG has received a request from the Web Authorization
Protocol WG
> > > > > (oauth) to consider the following document:
> > > > > - 'Asser