Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Anil Saldhana
On 06/12/2014 12:22 PM, Phil Hunt wrote: One of the use cases is to return only a token that is NOT an access token and is only an authentication assertion that is not opaque to the client. A key concern is clients do not always want to ask users for consent to access their profiles or any oth

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Bill Burke
On 6/13/2014 10:21 AM, Anil Saldhana wrote: On 06/12/2014 12:22 PM, Phil Hunt wrote: One of the use cases is to return only a token that is NOT an access token and is only an authentication assertion that is not opaque to the client. A key concern is clients do not always want to ask users fo

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Anil Saldhana
On 06/13/2014 09:24 AM, Bill Burke wrote: On 6/13/2014 10:21 AM, Anil Saldhana wrote: On 06/12/2014 12:22 PM, Phil Hunt wrote: One of the use cases is to return only a token that is NOT an access token and is only an authentication assertion that is not opaque to the client. A key concern is

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Prateek Mishra
Thanks, Bill - I certainly appreciate the comment from an implementor who wasnt involved in the OIDC protocol design. My understanding of the discussion around a4c is one of a minimalist extension to OAuth, not a full-featured one like OIDC. One concern I have heard expressed is that OIDC is so

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Bill Burke
On 6/12/2014 4:18 PM, Phil Hunt wrote: Phil On Jun 12, 2014, at 12:50, Bill Burke wrote: On 6/12/2014 12:49 PM, Prateek Mishra wrote: The OpenID Connect 2.0 COre specification alone is 86 pages. It has received review from maybe a dozen engineers within the OpenID community. The Open

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Bill Burke
On 6/13/2014 11:46 AM, Prateek Mishra wrote: Thanks, Bill - I certainly appreciate the comment from an implementor who wasnt involved in the OIDC protocol design. My understanding of the discussion around a4c is one of a minimalist extension to OAuth, not a full-featured one like OIDC. One con

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Prateek Mishra
Excellent, now you have put your finger on the precise issue with OIDC - lots of optional extensions and shiny trinkets and lack of a clear definition of a core subset for servers. I realize its exciting for consultants, software and toolkit vendors to have that sort of optionality, but in pra

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Anil Saldhana
For me it boils down to this: OAuth deals with Authorization. Authentication needs to be outside its realm - whether it is OIDC, SAML or other protocols, it is fine. The security community has just muddled up things for end users, implementors and adopters. We need to start having clear cut

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Mike Jones
Actually, there is a very clear definition of what the minimal Mandatory To Implement (MTI) in OpenID Connect is - it's right in the spec. See the (quite short) sections: 15.1. Mandatory to Implement Features for All OpenID P

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Prateek Mishra
Mike - when i see language like [quote] This list augments the set of features that are already listed elsewhere as being "REQUIRED" or are described with a "MUST", and so is not, by itself, a comprehensive set of implementation requirements for OPs. [\quote] in Section 15.1, I have to say t

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Phil Hunt
I am going to address a few comments all together here: 1. John Bradley confirmed again yesterday, OIDC does not allow for authentication only as part of the normal code flow and decided intentionally not to address it. So to say OIDC has a solution is confusing. OIDC has the solution if you w

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Bill Burke
On 6/13/2014 12:24 PM, Prateek Mishra wrote: Excellent, now you have put your finger on the precise issue with OIDC - lots of optional extensions and shiny trinkets and lack of a clear definition of a core subset for servers. OIDC is a very clear specification. Your phrase "shiny trinkets"

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Anil Saldhana
Phil - I want to hear who are those developers supporting a4c. You keep saying developers developers. I am not one of them. This mailing list has clearly shown total disregard for the a4c proposal. Please try to accept the community sentiment and unnecessarily don't extend this discussion int

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Anil Saldhana
On 06/12/2014 04:18 PM, John Bradley wrote: All but a handful of OAuth WG participants participated in developing OpenID Connect. Yes some companies chose not to participate for whatever reasons and have not committed to the mutual non assert IPR agreement, and that is unfortunate, but not a

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Mike Jones
I just looked all the uses of REQUIRED and MUST in the OpenID Connect Core spec. They do things like say which claims are REQUIRED in the ID Token ("iss", "sub", etc.), which OAuth parameters and features are REQUIRED, place restrictions on certain values (such as "iss" MUST use the "https" sch

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Donald F. Coffin
+1 Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.cof...@reminetworks.com -Original Message- From: Bill Burke [mailto:bbu...@redhat.com] Sent: Friday, June 13,

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Donald F. Coffin
+1 Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.cof...@reminetworks.com -Original Message- From: Anil Saldhana [mailto:anil.saldh...@redhat.com] Sent: Friday,

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread John Bradley
Subsequent to this email Phil and I have talked. There are two things that are deltas to connect in the spec. One is the ability to issue only a id_token from the token endpoint. The code grant_type requires a access token in the response. If the WG wants to define a new grant type that doesn

Re: [OAUTH-WG] JWT review

2014-06-13 Thread Kathleen Moriarty
Hi Hannes, Thank you for going through the various reviews, since the JOSE ones should be of interest to Oauth. I'll respond in-line. On Thu, Jun 12, 2014 at 4:27 AM, Hannes Tschofenig < hannes.tschofe...@gmx.net> wrote: > Hi Kathleen, > > on the first item I have a few minor remarks: You wrot

Re: [OAUTH-WG] JWT review

2014-06-13 Thread Mike Jones
In no place is SHA-1 or algorithms using it MTI. You can see the set of MTI algorithms by looking at those marked “Required” in the registries. A small set of required algorithms is present, with the choices based on a detailed survey of what algorithms are widely deployed, to provide a basis f

Re: [OAUTH-WG] JWT review

2014-06-13 Thread Kathleen Moriarty
Thanks, Mike. Okay, SHA-1 was a bad example. Hannes asked in response to my earlier review as he felt this was not resolved. I read back through the most recent thread and do see the responses you and Jim provided, also referenced in my response as valid considerations. If possible, it would be

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Phil Hunt
+1 Thanks John. Phil > On Jun 13, 2014, at 12:11, John Bradley wrote: > > Subsequent to this email Phil and I have talked. > > There are two things that are deltas to connect in the spec. > > One is the ability to issue only a id_token from the token endpoint. > > The code grant_type requi

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread John Bradley
Hi Anil, There are a number of profile efforts being looked at in the OIDF. The Mobile Network operators lead by the GSMA are starting profile work on a standard profile that will be supported by mobile operators globally, that includes looking at how a Client/RP/SP can register there client

Re: [OAUTH-WG] JWT review

2014-06-13 Thread Mike Jones
This was considered by the WG as issue #10 - http://trac.tools.ietf.org/wg/jose/trac/ticket/10. In the OAuth context, I know that draft-ietf-oauth-assertions and draft-ietf-oauth-saml2-bearer were sent to the IESG for review in 2012 and then sent back to the OAuth working group by the IESG beca

Re: [OAUTH-WG] JWT review

2014-06-13 Thread Kathleen Moriarty
Thanks, Mike. I've sent out a question to get the viewpoint of the current IESG members in hopes to prevent issues as we move forward. I'll post back to the discussion once I get enough input on current preferences in case anything has changed from experience, etc. On Fri, Jun 13, 2014 at 4:04

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Brian Campbell
I agree that, at this point, debating the details of a4c is premature. SSO/authentication are not part of the WG charter and, as I've said before, I'd object to changing the charter to include it. Other than a small but vocal minority, I think it's fair to say that that's also been the prevailing s

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Anil Saldhana
Brian - I agree. We should neither overload nor extend the WG charter to include any aspect of SSO or authentication. I am hoping Prateek/Phil's feedback on OIDC can be addressed by OIDC. From John's email, it seemed like a path forward is a Deployment Profile at OIDC. Hopefully everybody will

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Phil Hunt
I think this is a false argument. What we desire to do or not do is not always the WG's choice. It’s not me asking an authentication enhancement. The issue is whether to address improper authentication in the wild. Several of us all blogged about this a while a go and the problem with improper

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread John Bradley
To be precise SAML, Connect, and a4c provide Assertion-based authentication of a claimant, by a Verifier (IdP) to a relying party (RP) when the RP and the Verifier are not collocated ( i.e., they are connected across a shared network) SP-800-63 sec 9 Typically we call this authentication (au

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Bill Burke
On 6/13/2014 7:15 PM, Phil Hunt wrote: Would it be better if we thought about this as the authentication “bug”? How can there be an authentication "bug" when OIDC has addressed it backed by multiple implementations by different parties? Why don't you see if OIDC addresses the minor optim

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Paul Madsen
let's not this disagreement over the need & relevance of a4c be conflated with the age-old blurriness between authz & authn - in no way are the two related paul On 6/13/14, 7:50 PM, John Bradley wrote: To be precise SAML, Connect, and a4c provide Assertion-based authentication of a claimant,

[OAUTH-WG] The underlying question Re: Question regarding draft-hunt-oauth-v2-user-a4c

2014-06-13 Thread Bill Mills
Let's come back to the problem statement.  It sounds like Oauth is being (mis)used for plain authentication , we want to deal with that, and OpenID isn't appaently satisfying the need of the folks doing this.  Is that essentially correct? What is the use case that the minimal OIDC implementatio