You could also use a signed JWT returned by the resource owner (web
site) to be presented to the resource server (widget provider) that the
resource server can validate (e.g. verify the signature). The JWT can
contain scopes, expiry time, etc as needed. If the widget provider needs
to access services at the resource owner, the JWT can contain an
appropriate access_token for the user.
Thanks,
George
On 8/31/11 4:58 PM, Justin Karneges wrote:
Thanks Justin. I tend to agree that this is probably not a 2-legged issue,
and that there is likely a better fitting arrangement in the OAuth 2.0 system.
I've thought about this some more, and, especially given that the website and
widget provider are separately-owned entities, maybe the roles ought to be:
- resource owner: the website (not the user)
- resource server: widget provider (where the resource is generically "the
ability to utilize the widget")
- client: the webpage running in the browser
- authorization server: widget provider (not the website)
This way, we are sharing an auth grant between two separately-owned entities
rather than an access token. As I understand it, an access token is really
meant for exchange between two tightly related entities since as far as I can
tell access token formats are proprietary. Auth grants, on the other hand,
are being standardized (SAML?), and so they seem more appropriate for exchange
between organizations.
So, by the fact that the website trusts the client (the user has signed into
the website using a traditional web form, and the client possesses a cookie),
the website gives an authorization grant to the client in order to access
widget services. The grant would indicate rights scoped appropriately based
on the particular user.
How's that? :)
On Wednesday, August 31, 2011 12:42:05 PM Justin Richer wrote:
This description actually sounds a lot like the user-agent flow (aka,
"implicit authorization grant") in OAuth2 more than it does a true
two-legged system. The user is still there, and there's still a client
and protected resource, it's just that they're fairly tightly tied.
When using the implicit flow, one of the things you rely on for
verification of the client is the callback url. In this case, it can be
completely pre-registered back to something that the AS/PR has direct
control over.
If you wanted to do a more traditional two-legged approach, you can use
the client-credentials flow between the two servers and have the user's
identity just be asserted as part of an explicit API call. But since you
have a user in the loop, you might as well use them and do a real
three-legged kind of thing.
Additionally, the "user is logged in" bits could be handled by using
OpenID Connect if he wants to go in that direction. At a very high
level, the user ID basically becomes an OAuth2 protected resource, thus
allowing you to log in from any where you can get an access token.
(Connect folks, please feel free to chime in and tell Justin how wrong I
am.)
-- Justin
On Wed, 2011-08-31 at 15:14 -0400, Peter Saint-Andre wrote:
I tried to help Justin off-list, but it would be nice to have a FAQ
somewhere that shows developers how to translate from OAuth 1.1 to OAuth
2.0, even just conceptually (as in, "they got rid of the legs, how do I
do two-legged auth in OAuth 2.0?!?").
On 8/26/11 5:04 PM, Justin Karneges wrote:
Hi folks,
I currently use a proprietary token approach to provide authentication
to a browser widget, and I wonder if OAuth could be used to replace
it.
Here's how the system currently works:
- website supports authenticated users (happens via username/password
form) - website and widget provider have a shared secret
- the website serves a page to the browser, containing an embed of a
remote
widget as well as a token that asserts the currently logged in user.
the widget takes this token and performs an ajax call to the widget
provider server. behold, the user is now logged in to the widget.
In trying to organize this into OAuth terms and roles, here is what I
come up
with:
- resource owner: the user
- resource server: widget provider (where the resource is generically
"the
ability to utilize the widget")
- client: the webpage running in the browser
- authorization server: the website
The website essentially serves up the client application and token in
one shot, so the client never has to explicitly ask for a token.
However, the client would then take that token and use it to access a
service. The website and widget provider would share key material
such that token validation is possible, but it's important to note
that the two services are not owned and operated by the same people.
Does this seem right? Normally when I think of OAuth, I think of a
user giving a third-party service access to his personal stuff, but in
the above flow I'm proposing that OAuth be used so that the user gains
access to his own stuff. In fact, there would be no way to access his
stuff other than this approach, so it's not just about optional
third-party access. It's the direct and only access.
Would love confirmation that OAuth is appropriate for my needs, and if
I have the roles right in that case.
Thanks,
Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
