[OpenID] oauth assertion bearer grant - motivation?

Peter Williams home_pw at msn.com
Thu Jan 23 21:24:17 UTC 2014 




Say just a little more, since this swapping of “enterprise” issued (saml blob) tokens  all overlaps with openid connect in my mind - where the latter has different type of jwt: one for passing (classical oauth-powered) access guards at webapis, and those one's  delivering identity claims and attributes from a backroom directory.

 

Ive built and deployed a websso and oauth hybrid. Invoking authorization via a  (embedded)Brower requires one to conclude websso, with a wsfedp idp, that mints saml tokens. Said token opens the consent gate, that controls minting of oath grants. Subsequently, Use of token endpoint, citing a one time code or other proof token, returns a Json object with one or more jwts, and the websso bearer token, and an microsoftonline sts-issued(swapped from bearer) token usable at office365 wstrust/wssecurity/wssecureconversation guarded APIs. 


thick clients, phone apps, tablet apps and websites acting as agents are all happy with all that. And it fits with today's devices and middleware now (finally) adopted by us realty, and its 300 vendors.


What the oath bearer grant has done is confuse me more, particularly in understanding how the scopes from grants are aggregated, and WHY. I already don't really get how I'm supposed * to use* different jwts, in the openid connect profile, for “radically innovative” use cases that align with how folks are assuming enterprise, and social, and APIs, and mixed app\browser apps are all supposed to work, next generation.


Prehaps a call for a blog post or two?




Sent from Surface Pro





From: John Bradley
Sent: ‎Thursday‎, ‎January‎ ‎23‎, ‎2014 ‎11‎:‎34‎ ‎AM
To: peter Msn
Cc: openid-general at lists.openid.net





This is the openID list and not a OAuth list, but I will attempt an answer.




For others on the list the specs are http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer and http://tools.ietf.org/html/draft-ietf-oauth-assertions


Basically it is a way to do token translation.   In some cases when interfacing with Enterprise systems getting them to issue a SAML token may be easier the simplest thing to do.




The resource server (RS) however likely only understands a single access token form. GUID or JWT for the most part.   The assertion profiles let the client translate a JWT or SAML assertion into a OAuth access token.




This can be quite useful in crossing security domains where the AS is relying on a 3rd party to authenticate the user.   The AS could redirect to a SAML IDP using websso but on mobile devices that might not be optimal.  




The scopes associated with the access token can be a subset of the ones granted by the SAML assertion.   In some cases with multiple endpoints you may want to down scope the access token.




The biggest user of this flow is SalesForce as far as I know.




John B.




On Jan 23, 2014, at 3:46 PM, Peter Williams <home_pw at msn.com> wrote:




It took me a while (and several years of lateness) to comprehend just what kind of world the classical oauth grants were designed for.  One advantage of being late to the party was that I tended to get better variants, such as a grant returning a JWT bearing attributes rather than using grants that returnee guids as tokens - that had to be subsequently resolved.




So what is the “use case” of the saml2 bearer assertion grant?




I makes perfect sense that someone with a bearer assertion might swap it for a JWT, for use at APIs. And it makes perfect sense that such a saml assertion plays much the same role as a does possession of an optional renewal-token - the one native to an OAUTH handshake.




But I don't see what the “generation changing” motivation is for the scopes - that the access token returns all scopes for which tokens (with renewals) have previous been issued.




So what is the 'context’ of control being enabled here? What thing is this scope-aggregation feature working for?








Sent from Surface Pro



_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20140123/0c0dac5c/attachment.html>

More information about the general mailing list