Re: [OAUTH-WG] 2 Leg with OAuth 2.0
MAC would be more appropriate in my opinion for this. From: Eran Hammer-Lahav To: Brian Hawkins ; "oauth@ietf.org" Sent: Tuesday, November 29, 2011 12:38 PM Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 Both MAC and Bearer work in this setup, just think of them as HMAC-SHA-1 and PLAINTEXT in OAuth 1.0. In Bearer, your token is the client secret and in MAC, the client secret is the key. EHL From:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Hawkins Sent: Tuesday, November 29, 2011 12:28 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 Maybe I'm making this harder then it should be. Here is the situation: Site A and B both trust each other. Site A needs to update user information at site B. With OAuth 1.0 Site A would use it's consumer key and secret to sign the update call to Site B (no access token involved). Only one message is sent. The closest I can come to the above with OAuth 2.0 is to use the MAC token scheme and sign the request with the consumer secret. Is that valid? I kind of get the idea that the protocol doesn't care. It feels like the bearer scheme just doesn't work for what I'm trying to do. Thanks Brian On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav wrote: This functionality can be implemented in two main ways: 1. Using the client credentials flow to get an access token, then using the protocol as usual 2. Just using the Bearer (over SSL) or MAC token schemes without the rest of OAuth EHL From:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Hawkins Sent: Tuesday, November 29, 2011 11:49 AM To: oauth@ietf.org Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 I'm having trouble finding information on how to do 2leg authentication with OAuth 2.0. Does it even support it? Thanks Brian ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] 2 Leg with OAuth 2.0
This isn't really OAuth, this is a trust relationship between A and B. OAuth is providing an avenue for the user to approve access because the user owns the resource. That's why this doesn't really fit what you are trying to do. You could use MAC signatures to secure the transactions with a shared secret, sure. Just decide on a single (or pair) of secrest to use in all cases one for the client and one for the "user" secret, which isn't really a user secret, it's your global shared secret. -bill From: Brian Hawkins To: "oauth@ietf.org" Sent: Tuesday, November 29, 2011 12:27 PM Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 Maybe I'm making this harder then it should be. Here is the situation: Site A and B both trust each other. Site A needs to update user information at site B. With OAuth 1.0 Site A would use it's consumer key and secret to sign the update call to Site B (no access token involved). Only one message is sent. The closest I can come to the above with OAuth 2.0 is to use the MAC token scheme and sign the request with the consumer secret. Is that valid? I kind of get the idea that the protocol doesn't care. It feels like the bearer scheme just doesn't work for what I'm trying to do. Thanks Brian On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav wrote: This functionality can be implemented in two main ways: > >1. Using the client credentials flow to get an access token, then using >the protocol as usual >2. Just using the Bearer (over SSL) or MAC token schemes without the >rest of OAuth > >EHL > >From:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian >Hawkins >Sent: Tuesday, November 29, 2011 11:49 AM >To: oauth@ietf.org >Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 > >I'm having trouble finding information on how to do 2leg authentication with >OAuth 2.0. Does it even support it? > >Thanks >Brian ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] 2 Leg with OAuth 2.0
Both MAC and Bearer work in this setup, just think of them as HMAC-SHA-1 and PLAINTEXT in OAuth 1.0. In Bearer, your token is the client secret and in MAC, the client secret is the key. EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Hawkins Sent: Tuesday, November 29, 2011 12:28 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0 Maybe I'm making this harder then it should be. Here is the situation: Site A and B both trust each other. Site A needs to update user information at site B. With OAuth 1.0 Site A would use it's consumer key and secret to sign the update call to Site B (no access token involved). Only one message is sent. The closest I can come to the above with OAuth 2.0 is to use the MAC token scheme and sign the request with the consumer secret. Is that valid? I kind of get the idea that the protocol doesn't care. It feels like the bearer scheme just doesn't work for what I'm trying to do. Thanks Brian On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav mailto:e...@hueniverse.com>> wrote: This functionality can be implemented in two main ways: 1. Using the client credentials flow to get an access token, then using the protocol as usual 2. Just using the Bearer (over SSL) or MAC token schemes without the rest of OAuth EHL From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org> [mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of Brian Hawkins Sent: Tuesday, November 29, 2011 11:49 AM To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 I'm having trouble finding information on how to do 2leg authentication with OAuth 2.0. Does it even support it? Thanks Brian ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] 2 Leg with OAuth 2.0
Maybe I'm making this harder then it should be. Here is the situation: Site A and B both trust each other. Site A needs to update user information at site B. With OAuth 1.0 Site A would use it's consumer key and secret to sign the update call to Site B (no access token involved). Only one message is sent. The closest I can come to the above with OAuth 2.0 is to use the MAC token scheme and sign the request with the consumer secret. Is that valid? I kind of get the idea that the protocol doesn't care. It feels like the bearer scheme just doesn't work for what I'm trying to do. Thanks Brian On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav wrote: > This functionality can be implemented in two main ways: > > ** ** > > **1. **Using the client credentials flow to get an access token, > then using the protocol as usual > > **2. **Just using the Bearer (over SSL) or MAC token schemes > without the rest of OAuth > > ** ** > > EHL > > ** ** > > *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf > Of *Brian Hawkins > *Sent:* Tuesday, November 29, 2011 11:49 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] 2 Leg with OAuth 2.0 > > ** ** > > I'm having trouble finding information on how to do 2leg authentication > with OAuth 2.0. Does it even support it? > > ** ** > > Thanks > > Brian > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] 2 Leg with OAuth 2.0
Or using the SAML or JWT grants to get an access token, then using the protocol as usual. On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav wrote: > This functionality can be implemented in two main ways: > > > > 1. Using the client credentials flow to get an access token, then > using the protocol as usual > > 2. Just using the Bearer (over SSL) or MAC token schemes without the > rest of OAuth > > > > EHL > > > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Brian Hawkins > Sent: Tuesday, November 29, 2011 11:49 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 > > > > I'm having trouble finding information on how to do 2leg authentication with > OAuth 2.0. Does it even support it? > > > > Thanks > > Brian > > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] 2 Leg with OAuth 2.0
This functionality can be implemented in two main ways: 1. Using the client credentials flow to get an access token, then using the protocol as usual 2. Just using the Bearer (over SSL) or MAC token schemes without the rest of OAuth EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Hawkins Sent: Tuesday, November 29, 2011 11:49 AM To: oauth@ietf.org Subject: [OAUTH-WG] 2 Leg with OAuth 2.0 I'm having trouble finding information on how to do 2leg authentication with OAuth 2.0. Does it even support it? Thanks Brian ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] 2 Leg with OAuth 2.0
This diagram may be out of date, but I found it useful early on to understand the multiple flows and "legs" of OAuth. http://www.independentid.com/2011/03/oauth-flows-extended.html The question of "legs" (or parties as some prefer) depends on what you have and what you need. Take a look at Implicit (4.2) and Resource Owner (4.3) flows for some examples of 2-leg flows using passwords. There are others for different types of grants. Phil @independentid www.independentid.com phil.h...@oracle.com On 2011-11-29, at 11:53 AM, Peter Saint-Andre wrote: > On 11/29/11 12:49 PM, Brian Hawkins wrote: >> I'm having trouble finding information on how to do 2leg authentication >> with OAuth 2.0. Does it even support it? > > This issue comes up often enough that it deserves to be in a FAQ. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] 2 Leg with OAuth 2.0
On 11/29/11 12:49 PM, Brian Hawkins wrote: > I'm having trouble finding information on how to do 2leg authentication > with OAuth 2.0. Does it even support it? This issue comes up often enough that it deserves to be in a FAQ. Peter -- Peter Saint-Andre https://stpeter.im/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth