[Specs-cx] CX Contract to enlist OAuth clients

Thu May 27 09:36:41 UTC 2010

Hi.

Is it not the Assertion Flow more suitable?
We just send the CX Contract as an assertion to the OAuth endpoint.

Then, we can get the OAuth Access Token to access the data which was
defined in the CX Contract. No need for scope.

Having said that, even Access Token is kind of redundant as CX extensively
use the public key crypto. The refreshable access token is something that
we needed to avoid the public key crypto, I guess.

=nat

(2010/05/27 18:03), nara hideki wrote:
> Hi, experts.
>
> I think that a CX Contract can enlist binding parties to OAuth 2.0
> services consumers.
> Any comment is welcome.
>
> 1.  Declare an endpoint as an OAuth service.
>
> If the /Contract/Party/obligations/endpoint is OAuth 2.0 server, the
> CX Proposal may have the following attribute.
>
>       /Contract/Party/obligations/endpoint/@oauth
>
>            The OAuth 2.0 token endpoint for getting the access token to
> /Contract/Party/obligations/endpoint.
>
> 2.  A CX Party starts OAuth.
>
> A CX data requesting party MUST ask the authorization server in the
> course of  the "Client Credentials" flow of OAuth 2.0.
>
> OAuth requesting parameters  are followings :
>
> type
>         "client_credentials" (same as OAuth 2.0 )
>
> client_id
>            party's identifier specified in the CX Contract.
>
> client_secret
>            _challenge_generated_by_the_cx_data_requesting_party_
>
> scope
>       cxid = _cx_identifier_   , cxdig = _rsa_sha256_by_private_key_(
> "client_secret" )_
>
>       authorization server should authenticate and issue token in
> following process:
>
>         1.  request is based on a CX Contract if "cxid" is specified in "scope".
>         2.  fetch CX Contract  specified in "cxid" of "scope". "cxid"
> is the URI of the CX Signatory.
>             (only for the first time)
>         3.  verify "cxdig" in "scope" for "client_secret" with the
> public key of "client_id" X.509 certificate in the CX Contract.
>         4.  return an  OAuth access token if "cxdig" is properly verified.
>
> secret_type
>
>       http://openid.net/cx/#sig_rsa_sha256_ ( or something ... )
>
> format
>       same as OAuth 2.0
>
> If an access token is successfully returned,  the CX party now is able
> to request data from /Contract/Party/obligations/endpoint.
>
> -----
> hdknr
> _______________________________________________
> Specs-cx mailing list
> Specs-cx at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-cx
>    

-- 
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547

本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ございませんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.