Hi,
6749 defines three client profiles which are mapped to either confidential or
public client types.
Have any new client profiles since been defined? And is there a process or
place to put those additional profiles?
For example I'm thinking about additional confidential client types, maybe
Hi,
Lots of crypto drafts on OAuth popping up that I need to come up to speed on.
draft-bradley-oauth-pop-key-distribution-00http://datatracker.ietf.org/doc/draft-bradley-oauth-pop-key-distribution/
I am curious it ping the thoughts of others on the list of how OAuth is going
to continue to mature, especially with respect to enterprise federation
scenarios. This is something that I spend a whole lot of time thinking about.
Specifically, consider the following use case:
An end user in
, March 27, 2014 9:07 AM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth Enteprise federation ... 5 years from now
Hi Adam,
3 is the most common today. In the Salesforce case it has the additional
benefit that when Domain 1 is federating to SalesForce via OpenID Connect
it?
Looking for actual examples in the wild to point to.
adam
From: John Bradley [mailto:ve7...@ve7jtb.com]
Sent: Thursday, March 27, 2014 1:07 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth Enteprise federation ... 5 years from now
Handing out a id_token with a 3rd party
…
adam
From: Tim Bray [mailto:tb...@textuality.com]
Sent: Thursday, March 27, 2014 4:48 PM
To: John Bradley
Cc: Lewis Adam-CAL022; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth Enteprise federation ... 5 years from now
I can’t give names or numbers but yeah, it’s happening. Especially for Android
Hi Hannes, you (or others on the list) might be interested to know that we
prototyped the draft version of HOTK, for what it's worth.
adam
-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Tuesday, January 28, 2014 7:56 AM
To:
To: Lewis Adam-CAL022; Thomas Broyer; Andreas Kohn
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Scopes in access token response
Actually, section 5.1 is quite specifically how it's returned, and the intent
of the cross-reference to 3.3 is that they use the same format: a
space-separated list presented
Hi Vincent … it sounds to me like you should be looking at the code flow. It
is optimized for the use case you describe (or at least as I understand it). A
native application which uses an installed web browser to interact with the AS
and obtain a token for your client. Using this flow, your
For what it's worth, I am in favor of making the changes to (1) and (2) and
leaving (3) unchanged. (1) and (2) are definitely confusing to me, as I would
normally have associated the issued and expiration times to the token. (3) is
obvious as it stands, and as other have mentioned, only
Hi,
Section 2.2 (Revocation Response) of draft-ietf-oauth-revocation-09 states:
The authorization server responds with HTTP status code 200 if the
token has been revoked sucessfully or if the client submitted an
invalid token. The content of the response body does not matter as
all
One wonders that - if in hindsight - the implicit flow was a mistake to include
in the framework. Yes it saves a single round trip for use cases where the
tokens are exposed to the UA, but it's not clear that optimization is worth the
security headaches that are going to be caused down the
might be
inclined to use it.
adam
From: Mike Jones [mailto:michael.jo...@microsoft.com]
Sent: Saturday, March 16, 2013 12:17 PM
To: Phil Hunt
Cc: Brian Campbell; Lewis Adam-CAL022; oauth@ietf.org
Subject: RE: [OAUTH-WG] JWT grant_type and client_id
I agree that it’s likely a claim that would
@ietf.org
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
Hi
On 15/03/13 20:40, Lewis Adam-CAL022 wrote:
Hi John,
I would like to argue that the scope should be a parameter in the access
token request message, the same as it is for the RO creds grant and
client creds grant type. This would keep
profiles as a
self-contained doc.
adam
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Friday, March 15, 2013 5:13 PM
To: Lewis Adam-CAL022
Cc: Sergey Beryozkin; oauth@ietf.org
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
So currently the base assertion document defines
. If not, then it
will be JSON+encryption+signing, just not a JWT :)
adam
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Friday, March 15, 2013 5:16 PM
To: Lewis Adam-CAL022
Cc: Sergey Beryozkin; oauth@ietf.org
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
Codifying
and the assertion. Is
this correct?
From: Mike Jones [mailto:michael.jo...@microsoft.com]
Sent: Monday, February 18, 2013 6:58 PM
To: Lewis Adam-CAL022; oauth@ietf.org WG
Subject: RE: JWT grant_type and client_id
The client_id value and the access token value are independent
PM
To: Lewis Adam-CAL022
Cc: Mike Jones; WG oauth@ietf.org@il06exr02.mot.com
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
Yes, that is correct.
I'm working on new revisions of the drafts that will hopefully make that point
more clear.
On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022
qualified scope, but it just
seems that claims, scopes, and audiences are each unique and should be kept
that way.
adam
From: Phil Hunt [mailto:phil.h...@oracle.com]
Sent: Monday, March 11, 2013 9:25 AM
To: Nat Sakimura
Cc: Lewis Adam-CAL022; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] JWT - scope claim
Adding my 2 cents ...
I am looking to use JWT as the structure for my access tokens, and will likely
profile it to look just like an id_token, plus the scope claim which triggered
this thread :-)
I am also looking at JWT as a grant type.
I am also looking into federating my access tokens (one
Is there any guidance on the usage of client_id when using the JWT assertion
profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I
assume that it is not required ... but it would be necessary if using in
conjunction with a HOK profile where the JWT assertion is issued
[mailto:wmills_92...@yahoo.com]
Sent: Tuesday, February 05, 2013 6:49 PM
To: Lewis Adam-CAL022; Tim Bray
Cc: WG oauth@ietf.org@il06exr02.mot.com
Subject: Re: [OAUTH-WG] Why OAuth it self is not an authentication framework ?
Why use OAuth when OpenID does everything that OAuth can do as an
authentication method
I think this is becoming a largely academic / philosophical argument by this
time. The people who designed OAuth will likely point out that it was
conceptualized as an authorization protocol to enable a RO to delegate access
to a client to access its protected resources on some RS. And of
Speaking of ... what is the status of the HOK work? The last draft has expired
and its fallen off of the OAuth page now.
-Original Message-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Sergey Beryozkin
Sent: Monday, February 04, 2013 10:58 AM
To:
the TGS on-demand.
I think this is totally within the realm of reason. We will likely prototype
this idea very early next year (Jan/Feb).
-adam
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Friday, December 14, 2012 3:14 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re
Hi,
I continue to have an interest in the OAuth assertion profiles for my use
cases. I'm wondering if the idea of performing a first OAuth dance which
returns to the client a structured JWT access token (with scope=AS for example)
could then be used as the JWT in an assertion grant type? So
Hi Brian,
This is sort of my feeling on the STS as well (theoretical). Are there any
real-life examples of obtaining a JWT assertion from an STS that can be used
for the assertion flow? And if so then how is it obtained? It cannot be an
id_token because that is audience restricted to the
Hi Sergey,
In my use cases the client actively monitors the expiration of the AT in order
to request a new AT using the RT. We do this as you suggested, because
presenting an expired AT to the RS is a wasted round trip and adds latency and
degrades the user experience. Why send the AT if we
Hi Guangqing,
Just to build on what Justin and Hannes said, I have use cases that involve
sending OAuth access tokens over MANY non-HTTP protocols including SIP, RTSP,
SOAP (though you could argue that it is HTTP underneath), and other proprietary
protocols. (I also have use cases for the more
it’s worthwhile. It seems at
least you and Torsten agree in principle … what level of critical mass is
required to get something moving?
adam
From: Manger, James H [mailto:james.h.man...@team.telstra.com]
Sent: Wednesday, October 31, 2012 8:01 PM
To: Lewis Adam-CAL022
Cc: WG oauth@ietf.org
I have a use case where I would like to request both an access token and a
refresh token, but I would like the access token to have a scope less than that
of the refresh token. It is standard OAuth behavior for using the refresh
token to request additional access tokens (of equal or lesser
: Wednesday, October 31, 2012 12:19 PM
To: Lewis Adam-CAL022
Subject: Re: [OAUTH-WG] access tokens refresh tokens of different scopes
If the latency is important, you can deal with the latency by making the first
call to the RS with the original access token while you are waiting for the
stricter
, October 31, 2012 3:11 PM
To: Lewis Adam-CAL022
Cc: Dick Hardt; oauth@ietf.org
Subject: Re: [OAUTH-WG] access tokens refresh tokens of different scopes
Hi Adam
Give your clarification, why not have 3 different calls to the AS so that there
are separate refresh tokens for each RS?
If you don't want
31, 2012 4:07 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] access tokens refresh tokens of different scopes
On Oct 31, 2012, at 1:29 PM, Lewis Adam-CAL022
adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com
wrote:
Hi Dick,
Totally agree about
Hi,
I would like to understand if there are any current best practices around the
lifetime of an OAuth access token and refresh token. The spec gives guidance
of a max of 10min for a code, and section 4.2.2. gives an example of 3600sec
for an access token. There is no mention of a lifetime
Hi,
What are the plans for the OAuth HOTK draft with respect to refresh tokens?
Section 4.3 says that a new public key can be bound to a new access token using
a refresh token grant, but it would be nice if the refresh token could also use
the public key such that when using the refresh token
Hi Jérôme,
I am one of those non-consumer use cases where explicit consent is not part of
our envisioned OAuth flow. The resource servers that we create and sell to our
customers are owned by the customer's IT department, so when a user (employee)
authenticates to the AS, it is the enterprise
Hi Nat,
Starting from a standalone use case would be good.
My impression (I may be wrong) is that your requirement is to be able to
(1) Log the user identifier of the person who is accessing the resource at the
resource server for the audit etc. purposes.
acl yes ... that *and* to authenticate
, since everybody seems to at least
agree that it can be profiled to do so.
Tx!
adam
From: John Bradley [mailto:ve7...@ve7jtb.com]
Sent: Thursday, June 28, 2012 3:48 PM
To: Lewis Adam-CAL022
Cc: Nat Sakimura; oauth@ietf.org
Subject: Re: [OAUTH-WG] Report an authentication issue
Adam
Hi Nat ...
It could also be that RS is the PDP+PEP. Your model seem to fit this one.
acl Yes, exactly!
Then, you just take id_token there and PDP portion of the RS gives you the
access token, which you present it to the PEP portion of the RS.
acl if by you you're referring to the native
I am entirely confused.
I understand what everybody is saying for confidential clients, no problem here.
I fall apart when thinking of iPhone apps. Consider the scenario where I
deploy a video server, and write an iPhone app to talk to the video server.
The video server is under the control
register a handler for a browser URI thing ... but for
enterprise use cases, it's a kludge.
Just my 2 cents. It's free :)
adam
From: John Bradley [mailto:ve7...@ve7jtb.com]
Sent: Friday, June 08, 2012 9:04 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Authorization Request
Hi all,
I'm looking for a better understanding of why the code flow is recommended as
the preferred OAuth flow, even when used for native (public) clients.
I totally get why it is preferred for confidential clients, as explained in
section 1.3.1. of the version 26 of the draft. The first
Hi,
I have a historical question around front channel / back channel (direct)
communications and Authorization Requests. Both the code-flow and
implicit-flow utilize a front channel communication through the UA. This makes
sense for the delegated credentials case (e.g. shutterfly accessing
Hi all,
I've asked about the lack of standardization of the AS-RS interface in the
past, but I have a new twist on my question. What is the viability of
performing user authentication using OAuth with an RS in domain-1, and a
whole bunch of AS's in different domains (assuming that the RS and
To: Manger, James H
Cc: Lewis Adam-CAL022; oauth@ietf.org
Subject: Re: [OAUTH-WG] Inter-domain AS/RS communication (revisited)
More specifically, OpenID Connect with the addition of reusing the access_token
provided by the AS to get at other API services. This capability is explicitly
encouraged
.
-adam
From: George Fletcher [mailto:gffle...@aol.com]
Sent: Friday, June 01, 2012 2:34 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Inter-domain AS/RS communication (revisited)
I'm not sure why the dependency on the unstructured token. You can have a
small structured token
, because of my edge cases).
Tx!
adam
-Original Message-
From: Justin Richer [mailto:jric...@mitre.org]
Sent: Friday, June 01, 2012 3:00 PM
To: Lewis Adam-CAL022
Cc: Manger, James H; oauth@ietf.org
Subject: Re: [OAUTH-WG] Inter-domain AS/RS communication (revisited)
First, I have to give
-token, in response to an Access Token request? I realize that Connect
may be looking to make more ubiquitous, but who does it today?
Tx!!
adam
From: George Fletcher [mailto:gffle...@aol.com]
Sent: Friday, June 01, 2012 3:42 PM
To: Lewis Adam-CAL022
Cc: Justin Richer; oauth@ietf.org
Subject: Re
I would find this useful as well.
I've been ramping up on OAuth and have found the lack of standardization of
access tokens very frustrating (structured vs. unstructured, if structured then
what type of structure, etc). Not being able to understand what type of access
tokens are being
external or embedded? Why can't my
native client make RESTful API calls to the AS and RS natively?
Tx!
adam
From: Justin Richer [mailto:jric...@mitre.org]
Sent: Friday, April 13, 2012 11:38 AM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
'
Original message
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
From: Lewis Adam-CAL022 adam.le...@motorolasolutions.com
To: Justin Richer jric...@mitre.org
CC: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
Hi Justin,
There is one thing I have not understood about the whole
, April 19, 2012 5:08 PM
To: Lewis Adam-CAL022
Cc: Justin Richer; oauth@ietf.org
Subject: Re: [OAUTH-WG] Using OAuth to get a JWT/SAML token
A browser isn't required. The browser based flows are pretty common with OAuth
but they are certainly not the only way to get a token.
The resource owner
Hi Justin ...
In your application, to start things off, you fire off a web browser to the
authorization server's authorization endpoint. The user logs in to the
authorization server through the web browser, approves this copy of your app,
and gets redirected to
Hi all,
I've been talking to some of you off line about this already, but I need some
help in terms of implementation. I would like to use OAuth as a means to get
either a JWT or SAML token to a client running on a handheld device. This is
something that I'm looking to prototype (as part of
Hi,
Reading draft-ietf-oauth-saml2-bearer-10, it states:
The process by which the client obtains the SAML Assertion, prior to
exchanging it with the authorization server or using it for client
authentication, is out of scope.
Accepting that it's out of scope from the draft, what are the
56 matches
Mail list logo
