Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

On Fri, Aug 04, 2017 at 03:36:10PM +0200, Denis wrote: > > Before writing an individual draft, there needs to be a general > agreement within the WG to consider such a work item as valuable. Anyone can write an individual draft at any[1] time. Having thoughts specified in a concrete proposed sp

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Phil, My comments are in-line too. inline... Phil Oracle Corporation, Identity Cloud Services Architect & Standards @independentid www.independentid.com phil.h...@oracle.com On Aug 1, 2017, at 12:56 PM, Denis

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

inline... Phil Oracle Corporation, Identity Cloud Services Architect & Standards @independentid www.independentid.com phil.h...@oracle.com > On Aug 1, 2017, at 12:56 PM, Denis wrote: > > Phil, > > Originally, with OAuth the AS and th

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

That access tokens aren't always JWTs means that JWT claims or headers cannot be relied on to figure out the issuer of an arbitrary access token. So it's not viable. That was what I was trying to convey as an answer to the various points and questions you made that were in any way related to the or

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Phil, Originally, with OAuth the AS and the RS were co-located. Many additional RFCs made extensions and this assumption is no more valid. draft-ietf-oauth-token-exchange-09 is now opening a pandora box where an even more complex situation is envisaged (without explicitly stating it) there wo

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Brian, JWT (which is RFC 7519 not 7515 ) does define the common/major fields of a JWT. But access tokens aren't necessarily JWTs. Beyond this comment, would you be able to answer to the various points and questions ra

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Denis, Why is privacy a concern? OAuth is designed to have the Authorization Server be the issuer of tokens for a specific set of resource servers. The AS represents users on the Resource server. It does not represent users of the client - though they are often the same physical person, they

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

JWT (which is RFC 7519 not 7515 ) does define the common/major fields of a JWT. But access tokens aren't necessarily JWTs. On Tue, Aug 1, 2017 at 4:53 AM, Denis wrote: > Hello Brian, > > I don't think that's what I'm sayi

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Hello Brian, I don't think that's what I'm saying. Some of these concepts are difficult to reason about on a mailing list so I apologize for any miss or poor communication. When requesting a token, the resource or audience parameter can be used to indicate the target service where the client

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

I don't think that's what I'm saying. Some of these concepts are difficult to reason about on a mailing list so I apologize for any miss or poor communication. When requesting a token, the resource or audience parameter can be used to indicate the target service where the client intends to use the

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

So, you're saying the STS has to define a subject_type for each external token the client wants to exchange from? A type that is potentially proprietary and different between each and every STS? On the opposite end, when you want to convert to an external token, the STS either has 3 options fo

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

The urn:ietf:params:oauth:token-type:access_token type is an "indicator that the token is a typical OAuth access token issued by the authorization server in question" (see near the end of section 3 ) so the issuer is the give

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Thanks for replying, The Introduction of the spec implies that inter-security-domain exchange is supported: " A Security Token Service (STS) is a service capable of validating and issuing security tokens, which enables clients to obtain appropriate access credentials for resources in he

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

In general, an instance of an AS/STS can only issue tokens from itself. The audience/resource parameters tell the AS/STS where the requested token will be used, which will influence the audience of the token (and maybe other aspects). But the issuer of the requested token will be the AS/STS that is

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Should probably have a "subject_issuer" and "actor_issuer" as well as the "requested_issuer" too. FYI, I'm actually applying this spec to write a token exchange service to connect various product stacks that have different and often proprietary token formats and architectures. On 7/26/17 6:

[OAUTH-WG] [token-exchange] exchanging between issuers/domains

Hi all, I'm looking at Draft 9 of the token-exchange spec. How would one build a request to: * exchange a token issued by a different domain to a client managed by the authorization server. * exchange a token issued by the authorization server (the STS) for a token of a different issuer a