Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Michael D Adams
On Tue, Aug 3, 2010 at 8:56 PM, Oleg Gryb wrote: > I see your point, but let me try to eliminate the call to rpc_relay.html at > all. > After all, the ultimate goal is not to receive an access token, but a resource > protected by that token. The goal is to allow the user to delegate to thirdpart

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Eran Hammer-Lahav
The HTTPbis WG is tasked with cleaning up the HTTP 1.1 specification and making corrections where needed to reflect how the protocol is actually deployed. Allowing fragments in the Location header is one such adjustment. HTTPbis is considered the authority on HTTP and even though the work is sti

Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for OAuth 2.0 draft

2010-08-03 Thread Eran Hammer-Lahav
The single assertion use case is well defined. If you need to support multiple assertions in a single request, you will need to define a way to group them together and include them using the single assertion parameter or define an extension for additional assertions. Either way, this sounds like

Re: [OAUTH-WG] OAuth & Protected feeds

2010-08-03 Thread William Mills
At the very least we need to minimize the hoops the client needs to jump through. The resource server advertising enpoints allows a simple way to minimize on one path. > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] > On Behalf Of Manger, James H > S

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Luke Shepard
Hi Oleg, If you want to send an access token directly to the server, we have the web server flow designed to do that. The JS redirect or Ajax call is just a more complicated way to send the token to the server. The user-agent flow is intended for use where the resource needs to be accessed dire

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Oleg Gryb
> From: Brian Eaton > HTTP/1.1 302 Moved Temporarily > Location: http://www.thirdparty.com/rpc_relay.html#access_token=12345 > > rpc_relay.html is highly cached in the browser, so instead of > incurring hundreds of ms to fetch a file, the data lands in the > third-party.com javascript in

Re: [OAUTH-WG] OAuth & Protected feeds

2010-08-03 Thread Manger, James H
Torsten, >> This example illustrates that OAuth2 discovery needs to let a service >> explicitly indicate whether a direct and/or user-delegation flow is required. >> For instance, a "WWW-Authenticate: OAuth2" response could define 2 >> parameters: >> 'user-uri' and 'token-uri'. If only one is pre

Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for OAuth 2.0 draft

2010-08-03 Thread Anthony Nadalin
This is a use case we are seeing from the various government agencies (UK, USA, BC), I agree it add complexity but with having to satisfy several claims (i.e. over 21 and being a resident of sate) this seems to be pretty common these days. -Original Message- From: Brian Campbell [mailto:

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Oleg Gryb
- Original Message > From: John Kemp > And I guess that actually the URI spec itself has been updated since RFC2616 >(see RFC3986) and now has the fragment part included in the generic syntax ;) I don't see it in RFC3986: absolute-URI = scheme ":" hier-part [ "?" query ] Where

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread John Kemp
On Aug 3, 2010, at 2:44 PM, Oleg Gryb wrote: > > Definition of absoluteURI in RFC2396 doesn't include fragment. Fragment is > explicitly defined in URI-reference only. Yes. you're right. My mistake. > > URI-reference = [ absoluteURI | relativeURI ] [ "#" fragment ] > > If authors wanted to

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Brian Eaton
On Tue, Aug 3, 2010 at 12:44 PM, Yoav Nir wrote: > So if the browser works correctly (instead of what the python library does, > then thirdparty.com sees only "GET rpc_relay.html", while the javascript > also gets the "access_token=12345". In the average case, thirdparty.com doesn't even see GET

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Brian Eaton
Yoav - You can take a look at this as a starting point: http://trac.tools.ietf.org/wg/oauth/trac/raw-attachment/wiki/SecurityConsiderations/OAuthWRAP2.0SecurityConsiderations.pdf On Tue, Aug 3, 2010 at 1:38 PM, Marius Scurtescu wrote: > On Tue, Aug 3, 2010 at 1:28 PM, Yoav Nir wrote: >> >> On

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Marius Scurtescu
On Tue, Aug 3, 2010 at 1:28 PM, Yoav Nir wrote: > > On Aug 3, 2010, at 11:18 PM, Marius Scurtescu wrote: > >> On Tue, Aug 3, 2010 at 12:44 PM, Yoav Nir wrote: >>> >>> On Aug 3, 2010, at 8:32 PM, Brian Eaton wrote: >>> >>> Please provide an example of code that you would put to thirdparty.com and

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Yoav Nir
On Aug 3, 2010, at 11:18 PM, Marius Scurtescu wrote: > On Tue, Aug 3, 2010 at 12:44 PM, Yoav Nir wrote: >> >> On Aug 3, 2010, at 8:32 PM, Brian Eaton wrote: >> >> Please provide an example of code that you would put to thirdparty.com and >> that >> >> would not break the use cases. >> >> Tak

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Marius Scurtescu
On Tue, Aug 3, 2010 at 12:44 PM, Yoav Nir wrote: > > On Aug 3, 2010, at 8:32 PM, Brian Eaton wrote: > > Please provide an example of code that you would put to thirdparty.com and > that > > would not break the use cases. > > Take a look at the facebook APIs, in particular the cross-domain > commun

Re: [OAUTH-WG] SAML 2.0 Bearer Assertion Profile for OAuth 2.0 draft

2010-08-03 Thread Brian Campbell
Seems like a much more complicated scenario. Allowing more than one assertion, off the top of my head, would necessitate some major changes to this profile: * Define how multiple assertions are encoded into the single "assertion" form control (samlp:Response, concatenated, something else?) * Deal

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Yoav Nir
On Aug 3, 2010, at 8:32 PM, Brian Eaton wrote: Please provide an example of code that you would put to thirdparty.com and that would not break the use cases. Take a look at the facebook APIs, in particular the cross-domain communication schemes: http://wiki.developers.fa

Re: [OAUTH-WG] resource server id needed?

2010-08-03 Thread Eve Maler
The "scope flow" is intended to carry this information, and the authz manager/server compares the requested scope to a known mapping of protected resources to resource servers. (We're still working out details, and also trying to keep up with the changes to the OAuth2 substrate...) Eve

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Oleg Gryb
- Original Message > From: John Kemp > To: Eran Hammer-Lahav > Cc: Oleg Gryb ; "oauth@ietf.org" > Sent: Tue, August 3, 2010 10:51:09 AM > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? > > Yes, that's correct, as HTTP adopts the definition of 'absoluteURI' from

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread John Kemp
Yes, that's correct, as HTTP adopts the definition of 'absoluteURI' from the URI specification itself. It's just in the protocol itself that fragments are not sent. >From RFC2616: "This specification adopts the definitions of "URI-reference", >"absoluteURI", "relativeURI", "port", "host","abs_p

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Eran Hammer-Lahav
Fragments are perfectly valid in the Location header URI: http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-10#section-9.4 EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Oleg Gryb > Sent: Tuesday, August 03, 2010 10:34 AM >

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Oleg Gryb
- Original Message > From: John Kemp > To: Brian Eaton > Cc: o...@gryb.info; oauth@ietf.org > Sent: Tue, August 3, 2010 10:24:19 AM > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? > HTTP URIs should not, when participating in the HTTP protocol, send the >fragme

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Brian Eaton
On Tue, Aug 3, 2010 at 9:59 AM, Oleg Gryb wrote: >> Question: why are you implementing the user-agent  flow? > > It's not helpful. Doesn't answer the qs. The reason I asked is because I suspect you are trying to use the user-agent flow in a way very different from other people. It's important to

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread John Kemp
On Aug 2, 2010, at 11:31 PM, Brian Eaton wrote: > On Mon, Aug 2, 2010 at 6:15 PM, David Stanek wrote: > I just verified that the Python urllib client does send the fragment to the > server. I've created a patch and will be created a bug on the Python tracker. > > Cool, but this doesn't seem rel

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Oleg Gryb
> On Mon, Aug 2, 2010 at 10:21 PM, Oleg Gryb wrote: > > Returning to our discussion about necessity of passing access_token in >URL's > > fragment, I've read both your proposal for changing v.9 and the current > > v.10, but still don't understand why we need access_token in a fragment. > >

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Oleg Gryb
- Original Message > From: Marius Scurtescu > To: Oleg Gryb > Cc: oauth@ietf.org > Sent: Tue, August 3, 2010 9:00:20 AM > Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? > > On Mon, Aug 2, 2010 at 10:21 PM, Oleg Gryb wrote: > > Brian, > > > > I think, it's not so

Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0?

2010-08-03 Thread Marius Scurtescu
On Mon, Aug 2, 2010 at 10:21 PM, Oleg Gryb wrote: > Brian, > > I think, it's not so much about browsers written in Python, as about > automation (crawler) that somebody might want to use. The User-Agent profile cannot be used by crawlers, the end user needs to be present to approve. An autonomous

Re: [OAUTH-WG] Extensibility: new endpoints

2010-08-03 Thread Eran Hammer-Lahav
> -Original Message- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Tuesday, August 03, 2010 8:25 AM > To: Eran Hammer-Lahav > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Extensibility: new endpoints > > > > > The main problem is lack of authors/editors

Re: [OAUTH-WG] Extensibility: new endpoints

2010-08-03 Thread Torsten Lodderstedt
> >> > > The main problem is lack of authors/editors to put the work in, not lack of > ideas. I still hope to get the discovery spec finished in the same timeframe, > but have no plans to author or edit any other draft. Just to get this clear. Do you plan to author the discovery spec? And

Re: [OAUTH-WG] Extensibility: new endpoints

2010-08-03 Thread Eran Hammer-Lahav
> -Original Message- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Tuesday, August 03, 2010 7:00 AM > To: Eran Hammer-Lahav > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Extensibility: new endpoints > > I'm fine with specifying OAuth discovery in an add

Re: [OAUTH-WG] resource server id needed?

2010-08-03 Thread Torsten Lodderstedt
I mean address as in "uniquely label". Based on your explanation I assume you address resources instead of resource servers. Correct? What parameter of the end-user authorization flow is used to indicate the resource URL to the authz server. The scope? regards, Torsten. Am 02.08.2010 um 02:1

Re: [OAUTH-WG] Extensibility: new endpoints

2010-08-03 Thread Torsten Lodderstedt
I'm fine with specifying OAuth discovery in an additional I-D/RFC (along with the extension I have asked for). As a consequence, does this mean you will remove all references to OAuth Discovery from the core specification? Beside that, this raises another question: Are there additional functiona

Re: [OAUTH-WG] OAuth & Protected feeds

2010-08-03 Thread Torsten Lodderstedt
James, This example illustrates that OAuth2 discovery needs to let a service explicitly indicate whether a direct and/or user-delegation flow is required. For instance, a "WWW-Authenticate: OAuth2" response could define 2 parameters: 'user-uri' and 'token-uri'. If only one is present, only the co

Re: [OAUTH-WG] OAuth & Protected feeds

2010-08-03 Thread Torsten Lodderstedt
James, This example illustrates that OAuth2 discovery needs to let a service explicitly indicate whether a direct and/or user-delegation flow is required. For instance, a "WWW-Authenticate: OAuth2" response could define 2 parameters: 'user-uri' and 'token-uri'. If only one is present, only the co

Re: [OAUTH-WG] OAuth & Protected feeds

2010-08-03 Thread Torsten Lodderstedt
Darren, As an OAuth 2 provider and consumer as well as someone who's preparing to build the DiSo interactions my proposal was based on, I would prefer a single flow that addresses what I feel will be a increasingly common set of requirements rather than combining two flows designed for two distin