Sure - I will come up with draft proposal for this...

Thanks & regards,
-Prabath

On Wed, Apr 15, 2015 at 7:34 AM, Hannes Tschofenig <
[email protected]> wrote:

> Although I am not a huge fan of SOAP feel free to write a document and
> make it available to the group so that we can look at the details.
>
> On 04/15/2015 01:30 PM, Prabath Siriwardena wrote:
> > Hi Hannes,
> >
> > I still think its equally important to have a transport independent
> > binding ..
> >
> > If you look at the SOAP world, WS-Security is self-contained in the
> > message itself.. and SAML SOAP binding is also another example...
> >
> > Thanks & regards,
> > -Prabath
> >
> >
> > On Wed, Apr 15, 2015 at 1:16 AM, Hannes Tschofenig
> > <[email protected] <mailto:[email protected]>> wrote:
> >
> >     Hi Prabath,
> >
> >     the reason we have documents that describe the transport of bearer
> >     tokens/proof-of-possession tokens over the different transports is a
> >     task is more than just conveying a JWT over some protocol.
> >
> >     There are various documents that specify the transport of OAuth
> access
> >     tokens over some protocol:
> >
> >     * Bearer Tokens over HTTPS:
> >     https://tools.ietf.org/html/rfc6750
> >
> >     * Proof-of-Possession Tokens over TURN
> >     http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-13
> >
> >     * Bearer Tokens over SASL:
> >     https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19
> >
> >     * Bearer Tokens over CoAP:
> >     https://tools.ietf.org/html/draft-tschofenig-ace-oauth-bt-01
> >
> >     * OAuth over SIP:
> >     https://tools.ietf.org/html/draft-yusef-sipcore-sip-oauth-02
> >
> >     * Then, there is all the work on proof-of-possession tokens that
> >     requires thoughts on how to tie the access token to the request (see
> >     http://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01
> or
> >     token binding at
> >     https://tools.ietf.org/html/draft-ietf-tokbind-protocol-00)
> >
> >     If you look at these documents then you will see that the
> >     characteristics of the underlying protocol matter a lot from a
> security
> >     point of view. There are also encoding and discovery related aspects
> >     that need to be taken into account as well.
> >
> >     If someone wants to figure out how to carry OAuth access tokens over
> >     MQTT then they will have to figure out whether there are some
> additional
> >     considerations to take into account.
> >
> >     What we should probably doing in this group is to write a guidance
> >     document for using OAuth over <<foo>>.
> >
> >     Ciao
> >     Hannes
> >
> >     On 04/15/2015 12:02 AM, Prabath Siriwardena wrote:
> >     > It can be a JSON payload over JMS or even MQTT..
> >     >
> >     > I have seen some effort to create an MQTT binding for OAuth 2.0 -
> but
> >     > then again for each transport we need to have a binding..
> >     >
> >     > But - creating a message level binding would be much better IMHO..
> >     >
> >     > Thanks & regards,
> >     > -Prabath
> >     >
> >     > On Tue, Apr 14, 2015 at 2:55 PM, John Bradley <[email protected]
> <mailto:[email protected]>
> >     > <mailto:[email protected] <mailto:[email protected]>>> wrote:
> >     >
> >     >     Most of the pub sub things I have seen use HTTP transport.  Do
> you
> >     >     have a pointer to the protocol?
> >     >
> >     >>     On Apr 14, 2015, at 6:48 PM, Prabath Siriwardena <
> [email protected] <mailto:[email protected]>
> >     >>     <mailto:[email protected] <mailto:[email protected]>>> wrote:
> >     >>
> >     >>     Thanks John for the pointer - will have look..
> >     >>
> >     >>     I am looking this for a pub/sub scenario..  Having JWT binding
> >     >>     would benefit that..
> >     >>
> >     >>     Also - why I want access token to be inside a JWT is - when we
> >     >>     send a JSON payload in this case, we already have the JWT
> envelope
> >     >>     and the access token needs to be carried inside..
> >     >>
> >     >>     Thanks & regards,
> >     >>     -Prabath
> >     >>
> >     >>
> >     >>
> >     >>
> >     >>
> >     >>     On Tue, Apr 14, 2015 at 2:41 PM, John Bradley <
> [email protected] <mailto:[email protected]>
> >     >>     <mailto:[email protected] <mailto:[email protected]>>> wrote:
> >     >>
> >     >>         There is a OAuth binding to
> >     >>         SASL
> https://tools.ietf.org/html/draft-ietf-kitten-sasl-oauth-19
> >     >>
> >     >>         Google supports it for IMAP/SMTP,  I think the latest iOS
> and
> >     >>         OSX mail client updates use it rather than passwords for
> Google.
> >     >>         I also noticed Outlook on Android using it.
> >     >>
> >     >>         The access token might be a signed or encrypted JWT
> itself.  I
> >     >>         don’t know that wrapping it again necessarily helps.
> >     >>
> >     >>         Yes we should have bindings to other non http protocols.
> >     >>
> >     >>         Is there something specific that you are looking for that
> is
> >     >>         not covered by SASL?
> >     >>
> >     >>         John B.
> >     >>
> >     >>
> >     >>
> >     >>>         On Apr 14, 2015, at 6:21 PM, Prabath Siriwardena
> >     >>>         <[email protected] <mailto:[email protected]> <mailto:
> [email protected]
> >     <mailto:[email protected]>>> wrote:
> >     >>>
> >     >>>         At the moment we only HTTP binding to transport the
> access
> >     >>>         token (please correct me if not)..
> >     >>>
> >     >>>         This creates a dependency on the transport.
> >     >>>
> >     >>>         How about creating a JWT binding for OAuth 2.0..? We can
> >     >>>         transport the access token as an encrypted JWT header
> >     >>>         parameter..?
> >     >>>
> >     >>>
> >     >>>         Thanks & Regards,
> >     >>>         Prabath
> >     >>>
> >     >>>         Twitter : @prabath
> >     >>>         LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> >     >>>
> >     >>>         Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950>
> >     <tel:%2B1%20650%20625%207950>
> >     >>>
> >     >>>         http://blog.facilelogin.com <
> http://blog.facilelogin.com/>
> >     >>>         http://blog.api-security.org <
> http://blog.api-security.org/>
> >     >>>         _______________________________________________
> >     >>>         OAuth mailing list
> >     >>>         [email protected] <mailto:[email protected]>
> >     <mailto:[email protected] <mailto:[email protected]>>
> >     >>>         https://www.ietf.org/mailman/listinfo/oauth
> >     >>
> >     >>
> >     >>
> >     >>
> >     >>     --
> >     >>     Thanks & Regards,
> >     >>     Prabath
> >     >>
> >     >>     Twitter : @prabath
> >     >>     LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> >     >>
> >     >>     Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950>
> >     <tel:%2B1%20650%20625%207950>
> >     >>
> >     >>     http://blog.facilelogin.com <http://blog.facilelogin.com/>
> >     >>     http://blog.api-security.org <http://blog.api-security.org/>
> >     >
> >     >
> >     >
> >     >
> >     > --
> >     > Thanks & Regards,
> >     > Prabath
> >     >
> >     > Twitter : @prabath
> >     > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> >     >
> >     > Mobile : +1 650 625 7950 <tel:%2B1%20650%20625%207950>
> >     >
> >     > http://blog.facilelogin.com
> >     > http://blog.api-security.org
> >     >
> >     >
> >     > _______________________________________________
> >     > OAuth mailing list
> >     > [email protected] <mailto:[email protected]>
> >     > https://www.ietf.org/mailman/listinfo/oauth
> >     >
> >
> >
> >
> >
> > --
> > Thanks & Regards,
> > Prabath
> >
> > Twitter : @prabath
> > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
> >
> > Mobile : +1 650 625 7950
> >
> > http://blog.facilelogin.com
> > http://blog.api-security.org
>
>


-- 
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +1 650 625 7950

http://blog.facilelogin.com
http://blog.api-security.org
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to