Re: [OAUTH-WG] issuing multiple tokens
Justin Richer <jricher@mitre.org> Fri, 17 June 2011 13:46 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A470E11E80B9 for <oauth@ietfa.amsl.com>; Fri, 17 Jun 2011 06:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.435
X-Spam-Level:
X-Spam-Status: No, score=-6.435 tagged_above=-999 required=5 tests=[AWL=0.163, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVS+a4cN7RZy for <oauth@ietfa.amsl.com>; Fri, 17 Jun 2011 06:46:18 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0629111E80A4 for <oauth@ietf.org>; Fri, 17 Jun 2011 06:46:17 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BFF9421B0BFF for <oauth@ietf.org>; Fri, 17 Jun 2011 09:46:14 -0400 (EDT)
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtpksrv1.mitre.org (Postfix) with ESMTP id AFD6F21B0BEC for <oauth@ietf.org>; Fri, 17 Jun 2011 09:46:14 -0400 (EDT)
Received: from [172.31.4.213] (172.31.4.213) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server (TLS) id 8.3.159.2; Fri, 17 Jun 2011 09:46:14 -0400
Message-ID: <4DFB5AA6.7040706@mitre.org>
Date: Fri, 17 Jun 2011 09:46:14 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: oauth@ietf.org
References: <DDDF3DB6-03F5-464B-92F1-14F059C97A6D@mac.com> <4DF3198C.8080901@lodderstedt.net> <4DF64BF3.7010602@alcatel-lucent.com> <255B9BB34FB7D647A506DC292726F6E112869E4184@WSMSG3153V.srv.dir.telstra.com> <E0255DB9-B676-4B5A-913C-4472FF3CEE35@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234475E986C38@P3PW5EX1MB01.EX1.SECURESERVER.NET> <1308266617.96163.YahooMailNeo@web31811.mail.mud.yahoo.com>
In-Reply-To: <1308266617.96163.YahooMailNeo@web31811.mail.mud.yahoo.com>
Content-Type: multipart/alternative; boundary="------------050701080800080507000904"
Subject: Re: [OAUTH-WG] issuing multiple tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 13:46:19 -0000
I completely agree that the single-token case needs to be left alone, and I rather like this idea. The AS would return something like: { access_token: [ { access_token: "1234656", expires_in: 3600, token_type: bearer }, { access_token: "abcdefg", expires_in: 3600, token_type: MAC, mac_stuff: "goes_here" } ], token_type: multiple } This would not only let clients who are doing the common one-token flow ignore the "multiple" token type, it would also allow for re-use of token storage libraries for the inner token bits. And you could go crazy and pass a multiple token full of multiple tokens, too. It's turtles all the way down! -- Justin On 6/16/2011 7:23 PM, William J. Mills wrote: > Probably defining a token type of "multiple_tokens" would be my > preference, and if you get that back then you have to parse an array > of {type, token}*. What that array looks like could be JSON in the > payload, or something else. That leaves the single token use case alone. > > ------------------------------------------------------------------------ > *From:* Eran Hammer-Lahav <eran@hueniverse.com> > *To:* Phil Hunt <phil.hunt@oracle.com>; "Manger, James H" > <James.H.Manger@team.telstra.com> > *Cc:* OAuth WG <oauth@ietf.org> > *Sent:* Wednesday, June 15, 2011 10:46 PM > *Subject:* Re: [OAUTH-WG] issuing multiple tokens > > It is not an important enough feature. Parsing an array response when > 99.99% will be a single object array is annoying. Also, what would you > return in case of error? A single object? What is the client supposed > to do if it gets an empty array? Array with more than one token? > > *This* would be the hack... If this is something people want to > deploy, a full proposal end-to-end is required. And not now. > > EHL > > > > -----Original Message----- > > From: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> > [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf > > Of Phil Hunt > > Sent: Wednesday, June 15, 2011 10:40 PM > > To: Manger, James H > > Cc: OAuth WG > > Subject: Re: [OAUTH-WG] issuing multiple tokens > > > > +1 > > > > Phil > > > > @independentid > > www.independentid.com <http://www.independentid.com> > > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > > > > > > > > > > > > On 2011-06-15, at 10:01 PM, Manger, James H wrote: > > > > > Torsten Lodderstedt needs to issue multiple tokens; Igor Faynberg > said +1 > > to that; John Bradley identified that OpenID Connect needs to request > > multiple tokens; Eran Hammer-Lahav even mentioned a no-token flow as > > something that could make sense; ... > > > > > > Issuing 0, 1 or more tokens looks like an important enough feature > to fix > > now, instead of trying to hack it in after the spec is finalised. > > > > > > > > > Changing the access token response [5.1] to be a JSON array of JSON > > objects (one JSON object per issued token) seems like a simple way > to get > > this important functionality -- with very limited overhead for > services that will > > only ever issue a single token, and client written just for those > services. > > > > > > P.S. Does Facebook return a JSON object for its access token > response (as > > in draft-ietf-oauth-v2-12 that they reference), or x-www-form-urlencoded > > as the example at http://developers.facebook.com/docs/authentication/ > > implies [4th screen shot down]? > > > > > > -- > > > James Manger > > > > > > > > > Eran said (on a different thread): > > > > > > ...if the client can authenticate with the authorization server. > Why not just > > include the client identifier and user identifier and let the > authorization > > server lookup what the user already authorized? > > > > > > > > > Igor Faynberg wrote: > > > > > > +1 > > > > > > Torsten Lodderstedt wrote: > > >> Hi, > > >> > > >> I also see the need to request and issue multiple tokens in a single > > >> authorization process. There has already been some discussion about > > >> this topic roughly a year ago: > > >> - http://www.ietf.org/mail-archive/web/oauth/current/msg02688.html. > > >> - http://www.ietf.org/mail-archive/web/oauth/current/msg03639.html > > >> > > >> We at Deutsche Telekom have implemented an OAuth 2.0 extension > > >> supporting that use case. It's called "bulk authorization". > > >> > > >> Would that be an interessting topic we could discuss at IETF-81 for > > >> the re-chartering? I could present our approach there. > > >> > > >> regards, > > >> Torsten. > > > > > >> Am 10.06.2011 21:08, schrieb John Bradley: > > >>> We have identified the need to request multiple tokens as one issue > > >>> that we would have to extend. > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > >
- Re: [OAUTH-WG] Proposed OAuth Extensions Barry Leiba
- [OAUTH-WG] Proposed OAuth Extensions Paul Tarjan
- Re: [OAUTH-WG] Proposed OAuth Extensions Shane B Weeden
- Re: [OAUTH-WG] Proposed OAuth Extensions John Bradley
- Re: [OAUTH-WG] Proposed OAuth Extensions Torsten Lodderstedt
- Re: [OAUTH-WG] Proposed OAuth Extensions Igor Faynberg
- Re: [OAUTH-WG] Proposed OAuth Extensions Igor Faynberg
- Re: [OAUTH-WG] Proposed OAuth Extensions Barry Leiba
- Re: [OAUTH-WG] Proposed OAuth Extensions Stephen Farrell
- [OAUTH-WG] issuing multiple tokens Manger, James H
- Re: [OAUTH-WG] issuing multiple tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] issuing multiple tokens Phil Hunt
- Re: [OAUTH-WG] issuing multiple tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] issuing multiple tokens Phil Hunt
- Re: [OAUTH-WG] issuing multiple tokens William J. Mills
- Re: [OAUTH-WG] issuing multiple tokens Manger, James H
- Re: [OAUTH-WG] issuing multiple tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] issuing multiple tokens Torsten Lodderstedt
- Re: [OAUTH-WG] issuing multiple tokens Eran Hammer-Lahav
- Re: [OAUTH-WG] issuing multiple tokens Justin Richer
- Re: [OAUTH-WG] issuing multiple tokens David Recordon
- Re: [OAUTH-WG] issuing multiple tokens Justin Richer
- Re: [OAUTH-WG] issuing multiple tokens Phil Hunt
- Re: [OAUTH-WG] issuing multiple tokens William J. Mills
- Re: [OAUTH-WG] issuing multiple tokens Phil Hunt
- Re: [OAUTH-WG] issuing multiple tokens Marius Scurtescu
- Re: [OAUTH-WG] issuing multiple tokens Torsten Lodderstedt