[Specs-cx] CX Contract to enlist OAuth clients

nara hideki hdknr at ic-tact.co.jp
Thu May 27 20:16:39 UTC 2010


Morning, thank you very much for your quick response.

At first I thought in the same way as you.
But I think that CX Contract must be formed as  a "holder-of-key
tokens" for request authentication.

The contract created in the OpenID session between RP1 and OP can be
fetched by RP2 only if that contract is encrypted for RP2.
If the contract is encrypted by a symmetric key shared between all parties,
assertion flow would works.  But we need the way to distribute that key.
So client credential flow seems to be good enough.

Otherwise ,if a party signs the CX contract again( this mean , make
the contract as a "holder-of-key token"), the assertion flow can work.
 Seems to be better because
the CX contract can be distributed in "push" use case.

---
hdknr

2010/5/27 Nat Sakimura <n-sakimura at nri.co.jp>:
> Hi.
>
> Is it not the Assertion Flow more suitable?
> We just send the CX Contract as an assertion to the OAuth endpoint.
>
> Then, we can get the OAuth Access Token to access the data which was
> defined in the CX Contract. No need for scope.
>
> Having said that, even Access Token is kind of redundant as CX extensively
> use the public key crypto. The refreshable access token is something that
> we needed to avoid the public key crypto, I guess.
>
> =nat
>
> (2010/05/27 18:03), nara hideki wrote:
>>
>> Hi, experts.
>>
>> I think that a CX Contract can enlist binding parties to OAuth 2.0
>> services consumers.
>> Any comment is welcome.
>>
>> 1.  Declare an endpoint as an OAuth service.
>>
>> If the /Contract/Party/obligations/endpoint is OAuth 2.0 server, the
>> CX Proposal may have the following attribute.
>>
>>      /Contract/Party/obligations/endpoint/@oauth
>>
>>           The OAuth 2.0 token endpoint for getting the access token to
>> /Contract/Party/obligations/endpoint.
>>
>> 2.  A CX Party starts OAuth.
>>
>> A CX data requesting party MUST ask the authorization server in the
>> course of  the "Client Credentials" flow of OAuth 2.0.
>>
>> OAuth requesting parameters  are followings :
>>
>> type
>>        "client_credentials" (same as OAuth 2.0 )
>>
>> client_id
>>           party's identifier specified in the CX Contract.
>>
>> client_secret
>>           _challenge_generated_by_the_cx_data_requesting_party_
>>
>> scope
>>      cxid = _cx_identifier_   , cxdig = _rsa_sha256_by_private_key_(
>> "client_secret" )_
>>
>>      authorization server should authenticate and issue token in
>> following process:
>>
>>        1.  request is based on a CX Contract if "cxid" is specified in
>> "scope".
>>        2.  fetch CX Contract  specified in "cxid" of "scope". "cxid"
>> is the URI of the CX Signatory.
>>            (only for the first time)
>>        3.  verify "cxdig" in "scope" for "client_secret" with the
>> public key of "client_id" X.509 certificate in the CX Contract.
>>        4.  return an  OAuth access token if "cxdig" is properly verified.
>>
>> secret_type
>>
>>      http://openid.net/cx/#sig_rsa_sha256_ ( or something ... )
>>
>> format
>>      same as OAuth 2.0
>>
>> If an access token is successfully returned,  the CX party now is able
>> to request data from /Contract/Party/obligations/endpoint.
>>
>> -----
>> hdknr
>> _______________________________________________
>> Specs-cx mailing list
>> Specs-cx at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-cx
>>
>
>
> --
> Nat Sakimura (n-sakimura at nri.co.jp)
> Nomura Research Institute, Ltd.
> Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
>
> 本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ございませんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
> PLEASE READ:
> The information contained in this e-mail is confidential and intended for
> the named recipient(s) only.
> If you are not an intended recipient of this e-mail, you are hereby notified
> that any review, dissemination, distribution or duplication of this message
> is strictly prohibited. If you have received this message in error, please
> notify the sender immediately and delete your copy from your system.
>
>
> _______________________________________________
> Specs-cx mailing list
> Specs-cx at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-cx
>


More information about the Specs-cx mailing list