We need to think about this, and whatever we build in this space should work
for POP tokens as well. I'd love to hear the concrete use cases and problems
to be solved.
POP tokens (like OAuth 1.0a) are likely not to be proxyable, so the edge
servers really should have a way to get a new credential for accessing other
services on behalf of the user.
Another major consideration is that auth servers are frequently not scaled to
handle the full edge transaction load, that's part of the point of issuing a
longer lived credential by a server that's already done all the expensive
policy and DB checks.
I'm not a big fan of a token exchange through the auth server for that reason,
as well as the added cost incurred for the network round trips that's being
built in.
-bill
On Monday, November 3, 2014 2:00 PM, "Richer, Justin P."
<jric...@mitre.org> wrote:
There's a new working group document where this component *could* be captured
(and I would argue it should), and that's:
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-token-exchange/
However, at the moment it's more concerned with the semantically-aware
assertion swap instead of an opaque token swap. Personally, I think that the
syntax should be general (like in my and in Phil's draft) to allow for any kind
of input and output token, and if someone wants to standardize an assertion on
top of that, they can. Hopefully we can get that clear in the WG as progress
continues on this new document.
-- Justin
On Nov 3, 2014, at 2:54 PM, Ajanta Adhikari <ajanta.adhik...@gmail.com> wrote:
Note sure if I can reply to the mailing list yet so responding directly.
-----------------------------------------------------------------------------------------
Bas,
We (Akamai) came up with a similar design before I read the draft from Justin
and Phil. I talked to Justin at IIW about our design choice and he seems to
think its in the right direction.
There is a reference to it from our OAUTH scope design session at IIW
http://iiw.idcommons.net/OAuth_2_Scope_Design_Discuss_iom
I would be happy to share additional details if you are interested. We do not
publish our implementation to public.
Thanks,
Ajanta
On Mon, Nov 3, 2014 at 3:02 AM, Bas Zoetekouw <bas.zoetek...@surfnet.nl> wrote:
Hi All,
For a client of ours, I am looking into OAuth token redelegation from
one RS to another. I've found two drafts that more or less describe the
scenario they want to implement:
https://tools.ietf.org/html/draft-richer-oauth-chain-00 and
http://tools.ietf.org/html/draft-hunt-oauth-chain-01
Could anyone comment on the status of those?
In particular I'ld be interested in hearing whether anyone is using
either of those specs in practice, and whether there is any progress on
the drafts.
Best regards,
Bas Zoetekouw.
SURFnet.
--
Bas Zoetekouw
SURFnet Advanced Services
Tel: +31 30 2305362 Fax:+31 30 2305329
SURFnet - POBox 19035 - NL-3501 DA Utrecht - The Netherlands
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
