IETF Logo Mail Archive

Re: [OAUTH-WG] issuing multiple tokens

Justin Richer <jricher@mitre.org> Fri, 17 June 2011 13:46 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A470E11E80B9 for <oauth@ietfa.amsl.com>; Fri, 17 Jun 2011 06:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.435
X-Spam-Level:
X-Spam-Status: No, score=-6.435 tagged_above=-999 required=5 tests=[AWL=0.163, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVS+a4cN7RZy for <oauth@ietfa.amsl.com>; Fri, 17 Jun 2011 06:46:18 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0629111E80A4 for <oauth@ietf.org>; Fri, 17 Jun 2011 06:46:17 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BFF9421B0BFF for <oauth@ietf.org>; Fri, 17 Jun 2011 09:46:14 -0400 (EDT)
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtpksrv1.mitre.org (Postfix) with ESMTP id AFD6F21B0BEC for <oauth@ietf.org>; Fri, 17 Jun 2011 09:46:14 -0400 (EDT)
Received: from [172.31.4.213] (172.31.4.213) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server (TLS) id 8.3.159.2; Fri, 17 Jun 2011 09:46:14 -0400
Message-ID: <4DFB5AA6.7040706@mitre.org>
Date: Fri, 17 Jun 2011 09:46:14 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: oauth@ietf.org
References: <DDDF3DB6-03F5-464B-92F1-14F059C97A6D@mac.com> <4DF3198C.8080901@lodderstedt.net> <4DF64BF3.7010602@alcatel-lucent.com> <255B9BB34FB7D647A506DC292726F6E112869E4184@WSMSG3153V.srv.dir.telstra.com> <E0255DB9-B676-4B5A-913C-4472FF3CEE35@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234475E986C38@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1308266617.96163.YahooMailNeo@web31811.mail.mud.yahoo.com>
In-Reply-To: <1308266617.96163.YahooMailNeo@web31811.mail.mud.yahoo.com>
Content-Type: multipart/alternative; boundary="------------050701080800080507000904"
Subject: Re: [OAUTH-WG] issuing multiple tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 13:46:19 -0000

I completely agree that the single-token case needs to be left alone, 
and I rather like this idea. The AS would return something like:

{
  access_token: [
     {
       access_token: "1234656",
       expires_in: 3600,
       token_type: bearer
     },
     {
       access_token: "abcdefg",
       expires_in: 3600,
       token_type: MAC,
       mac_stuff: "goes_here"
     }
   ],
   token_type: multiple
}

This would not only let clients who are doing the common one-token flow 
ignore the "multiple" token type, it would also allow for re-use of 
token storage libraries for the inner token bits. And you could go crazy 
and pass a multiple token full of multiple tokens, too. It's turtles all 
the way down!

  -- Justin

On 6/16/2011 7:23 PM, William J. Mills wrote:
> Probably defining a token type of "multiple_tokens" would be my 
> preference, and if you get that back then you have to parse an array 
> of {type, token}*.  What that array looks like could be JSON in the 
> payload, or something else.  That leaves the single token use case alone.
>
> ------------------------------------------------------------------------
> *From:* Eran Hammer-Lahav <eran@hueniverse.com>
> *To:* Phil Hunt <phil.hunt@oracle.com>; "Manger, James H" 
> <James.H.Manger@team.telstra.com>
> *Cc:* OAuth WG <oauth@ietf.org>
> *Sent:* Wednesday, June 15, 2011 10:46 PM
> *Subject:* Re: [OAUTH-WG] issuing multiple tokens
>
> It is not an important enough feature. Parsing an array response when 
> 99.99% will be a single object array is annoying. Also, what would you 
> return in case of error? A single object? What is the client supposed 
> to do if it gets an empty array? Array with more than one token?
>
> *This* would be the hack... If this is something people want to 
> deploy, a full proposal end-to-end is required. And not now.
>
> EHL
>
>
> > -----Original Message-----
> > From: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> 
> [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf
> > Of Phil Hunt
> > Sent: Wednesday, June 15, 2011 10:40 PM
> > To: Manger, James H
> > Cc: OAuth WG
> > Subject: Re: [OAUTH-WG] issuing multiple tokens
> >
> > +1
> >
> > Phil
> >
> > @independentid
> > www.independentid.com <http://www.independentid.com>
> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> >
> >
> >
> >
> >
> > On 2011-06-15, at 10:01 PM, Manger, James H wrote:
> >
> > > Torsten Lodderstedt needs to issue multiple tokens; Igor Faynberg 
> said +1
> > to that; John Bradley identified that OpenID Connect needs to request
> > multiple tokens; Eran Hammer-Lahav even mentioned a no-token flow as
> > something that could make sense; ...
> > >
> > > Issuing 0, 1 or more tokens looks like an important enough feature 
> to fix
> > now, instead of trying to hack it in after the spec is finalised.
> > >
> > >
> > > Changing the access token response [5.1] to be a JSON array of JSON
> > objects (one JSON object per issued token) seems like a simple way 
> to get
> > this important functionality -- with very limited overhead for 
> services that will
> > only ever issue a single token, and client written just for those 
> services.
> > >
> > > P.S. Does Facebook return a JSON object for its access token 
> response (as
> > in draft-ietf-oauth-v2-12 that they reference), or x-www-form-urlencoded
> > as the example at http://developers.facebook.com/docs/authentication/
> > implies [4th screen shot down]?
> > >
> > > --
> > > James Manger
> > >
> > >
> > > Eran said (on a different thread):
> > >
> > > ...if the client can authenticate with the authorization server. 
> Why not just
> > include the client identifier and user identifier and let the 
> authorization
> > server lookup what the user already authorized?
> > >
> > >
> > > Igor Faynberg wrote:
> > >
> > > +1
> > >
> > > Torsten Lodderstedt wrote:
> > >> Hi,
> > >>
> > >> I also see the need to request and issue multiple tokens in a single
> > >> authorization process. There has already been some discussion about
> > >> this topic roughly a year ago:
> > >> - http://www.ietf.org/mail-archive/web/oauth/current/msg02688.html.
> > >> - http://www.ietf.org/mail-archive/web/oauth/current/msg03639.html
> > >>
> > >> We at Deutsche Telekom have implemented an OAuth 2.0 extension
> > >> supporting that use case. It's called "bulk authorization".
> > >>
> > >> Would that be an interessting topic we could discuss at IETF-81 for
> > >> the re-chartering?  I could present our approach there.
> > >>
> > >> regards,
> > >> Torsten.
> > >
> > >> Am 10.06.2011 21:08, schrieb John Bradley:
> > >>> We have identified the need to request multiple tokens as one issue
> > >>> that we would have to extend.
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > > https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email