Hi Eric – we’re currently implementing these flows, and I’m working on a draft to capture both these flows and I’m hoping to have some community review in person at the interim meeting on Monday – will you be there?
Also, a few questions on what you’ve implemented * You don’t seem to ever have a “prn” defined in your JWT – what was the reasoning behind this? * The URL for the for the keys are explicitly registered on your side, and never carried in a “jku” or “x5u” field...is that correct? (Note that we’re starting with statically configured PEM certs ) * scope – my current thinking is that since this is the token endpoint, authorization has already occurred. It seems like scope should be optional and only used to downgrade capabilities. What is google’s thinking? * In your client authentication flow, you never declare the assertion type – was this intentionally omitted? -cmort On 5/16/11 6:12 PM, "Eric Sachs" <[email protected]> wrote: Last month we announced support for Google App Engine apps to create signed JWTs, such as for use in an OAuth2 assertion flows. We are now providing a preview of the ability for developers to make API calls to Google using OAuth2 assertions in JWT format. The documentation (including pointers to sample apps and their source code) is at: https://sites.google.com/site/oauthgoog/Home/google-oauth2-assertion-flow As we discussed at the InternetIdentityWorkshop, we are interested in working with vendors in interop using these techniques. ---------- Forwarded message ---------- From: Eric Sachs <[email protected]> Date: Wed, Apr 6, 2011 at 12:43 PM Subject: Native JWT support in Google App Engine To: [email protected] Google has just added native support for JWT to Google App Engine. Here is the documentation: https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app Our hope is to work with other players in the cloud computing space to improve some elements of cloud security by using PKI, JWT & OAuth2 for interop between our systems. Based on past industry discussion, we wroteup a description of some of the general interop use-cases: https://sites.google.com/site/oauthgoog/robotaccounts/cloudtoonpremise https://sites.google.com/site/oauthgoog/robotaccounts/onpremisetocloud While this new feature in Google App Engine is a significant step for Google, we realize there is more to do on our side such as adding support for JWT assertions in our recently announced OAuth2 support for Google APIs <http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html> . However we would prefer to get feedback from this group on a standard approach, including around key rotation/management. Eric Sachs Senior Product Manager, Internet Identity Google
_______________________________________________ woes mailing list [email protected] https://www.ietf.org/mailman/listinfo/woes
