[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OAUTH-WG] RSA signing and web delegation

Do you need an RSA option for the “Basic Auth Alternative” case?

 

EHL

 

From: John Panzer [mailto:jpanzer at google.com]
Sent: Thursday, November 05, 2009 10:30 PM
To: Eran Hammer-Lahav
Cc: Brian Eaton; oauth at ietf.org
Subject: Re: [OAUTH-WG] RSA signing and web delegation

 

My query was about case #2.  These cases need better names.  
--
John Panzer / Google
jpanzer at google.com / abstractioneer.org / @jpanzer


On Thu, Nov 5, 2009 at 10:20 PM, Eran Hammer-Lahav <eran at hueniverse.com> wrote:

We need to stop using this term (2 legged) and instead describe the exact use case. This term can mean using OAuth without user-context but in an overall scenario where there still is a user (for example, a server offering both protected resources APIs as well as client admin APIs that are not specific to any resource owner). It can also be used to mean using OAuth as a more secure replacement for Basic auth in which the username and password are sent as the client credentials (and no token).

We are going to address the second case by providing a new direct authentication method modeled after whatever we come up for the token-based case (or delegation, whatever we call it) - somehow...

I am not sure what to do about the first case yet, but it will need to be resolved as part of the delegation flow for sending authenticated requests to obtain a token when there is still no token present.


EHL



> -----Original Message-----
> From: oauth-bounces at ietf.org [mailto:oauth-bounces at ietf.org] On Behalf

> Of John Panzer
> Sent: Thursday, November 05, 2009 9:53 PM
> To: Brian Eaton
> Cc: oauth at ietf.org
> Subject: Re: [OAUTH-WG] RSA signing and web delegation
>
> What about 2 legged OAuth?
>
> On Thursday, November 5, 2009, Brian Eaton <beaton at google.com> wrote:
> > I spent a bit of time today wondering how to integrate RSA signing in
> > OAuth (which has obvious key distribution advantages) with requests
> > that only send access tokens (which has obvious usability
> advantages).
> >
> > The only way I can think of to resolve these conflicts goes like
> this:
> >
> > 1) Initial requests for user approval (using the web delegation flow)
> > are signed using RSA.
> >
> > 2) Data requests are either not signed, or are signed only with the
> > token secret using HMAC.
> >
> > 3) Requests to renew access tokens (if we adopt something like the
> > scalable OAuth extension) are again signed using RSA.
> >
> > Thoughts?
> >
> > Cheers,
> > Brian
> > _______________________________________________
> > OAuth mailing list
> > OAuth at ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>
> --
> --
> John Panzer / Google
> jpanzer at google.com / abstractioneer.org / @jpanzer
> _______________________________________________
> OAuth mailing list
> OAuth at ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

 

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.