[Idel-wg] Mike Jones: Working Group Draft for OAuth 2.0 Act-As and On-Behalf-Of

Mischa Salle msalle at nikhef.nl
Tue Sep 16 09:21:58 EDT 2014 

Hi Paul, others,

On Mon, Aug 25, 2014 at 03:49:56PM +0200, Paul Millar wrote:
> Hi Alan,
> 
> On 25/08/14 07:13, Sill, Alan wrote:
> >Thought you would be interested in the following link, from the blog
> >of Mike Jones of Microsoft.
> >
> >Topic: There's now an OAuth working group draft of the OAuth 2.0
> >Token Exchange specification, which provides Act-As and On-Behalf-Of
> >functionality for OAuth 2.0. This functionality is deliberately
> >modelled on the same functionality present in WS-Trust.
> 
> Interesting, although (to me) a little odd: OAuth is already about
> delegation, so providing a delegation framework within a delegation
> framework seems redundant.
>
> Another odd point is that the RP needs to know (a priori) the
> identity it wishes which, in general, it doesn't (c.f. OpenID
> Connect).
> 

Maybe I'm wrong, but I would think that an interesting use-case is
multi-step delegation. For single-step delegation standard OAuth2.0 is
fine. But how should a resource server then do a further delegation
step, so RP-1 want to request access to RP-2 on behalf of user. It could
try to (mis)use the original token, but it's much better to require a
new token. That means it must request a token on behalf of the original
user. In that case, it also would know which identity to use, right? Or
do I misunderstand your second remark?

    Cheers,
    Mischa

> So, the use-case seems to be RP needs a credential (X.509, Kerberos,
> ...) to communicate with some server that doesn't support OAuth but
> trusts the server issuing the credential --- perhaps for legacy
> services or ones that don't provide a web front-end?
> 
> Anyhow, thanks for the pointer.
> 
> Cheers,
> 
> Paul.
> _______________________________________________
> Idel-wg mailing list
> Idel-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/idel-wg

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4332 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/idel-wg/attachments/20140916/ccd75a96/attachment.bin>

More information about the Idel-wg mailing list