[OpenID] oauth assertion bearer grant - motivation?
Chuck Mortimore
cmortimore at salesforce.com
Thu Jan 23 22:19:07 UTC 2014
What you've build is a pretty common use-case for us as well, and broadly
used in our customer base (some minor variations in protocol, but same
intent) Here's a whitepaper we use to explain the websso /oauth hybrid
approach to customers:
http://wiki.developerforce.com/page/Single_Sign-On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth
The bearer flows are used for slightly different use-cases, at least in our
environment. We tend to employee these for server-to-server use-cases
where the user is not present (and not able to go through an oauth or
websso flow) but you still need to obtain an access token on their behalf.
One practical example is automated provisioning of tenants. Using our
signup API you can create a new salesforce tenant with an admin that is
pre-approved for a particular oauth application. You can than use the
bearer flow to exchange an assertion for an access token and begin
programmatically configuring the tenant. No exchange of passwords, and
no user present to physically perform the oauth dance.
One example, but hopefully this helps illustrate how they can be used.
-cmort
On Thu, Jan 23, 2014 at 1:24 PM, Peter Williams <home_pw at msn.com> wrote:
>
> Say just a little more, since this swapping of “enterprise” issued (saml
> blob) tokens all overlaps with openid connect in my mind - where the
> latter has different type of jwt: one for passing (classical
> oauth-powered) access guards at webapis, and those one's delivering
> identity claims and attributes from a backroom directory.
>
> Ive built and deployed a websso and oauth hybrid. Invoking authorization
> via a (embedded)Brower requires one to conclude websso, with a wsfedp idp,
> that mints saml tokens. Said token opens the consent gate, that controls
> minting of oath grants. Subsequently, Use of token endpoint, citing a one
> time code or other proof token, returns a Json object with one or more
> jwts, and the websso bearer token, and an microsoftonline
> sts-issued(swapped from bearer) token usable at office365
> wstrust/wssecurity/wssecureconversation guarded APIs.
>
> thick clients, phone apps, tablet apps and websites acting as agents are
> all happy with all that. And it fits with today's devices and middleware
> now (finally) adopted by us realty, and its 300 vendors.
>
> What the oath bearer grant has done is confuse me more, particularly in
> understanding how the scopes from grants are aggregated, and WHY. I already
> don't really get how I'm supposed * to use* different jwts, in the openid
> connect profile, for “radically innovative” use cases that align with how
> folks are assuming enterprise, and social, and APIs, and mixed app\browser
> apps are all supposed to work, next generation.
>
> Prehaps a call for a blog post or two?
>
> Sent from Surface Pro
>
> *From:* John Bradley <ve7jtb at ve7jtb.com>
> *Sent:* Thursday, January 23, 2014 11:34 AM
> *To:* peter Msn <home_pw at msn.com>
> *Cc:* openid-general at lists.openid.net
>
> This is the openID list and not a OAuth list, but I will attempt an answer.
>
> For others on the list the specs are
> http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer and
> http://tools.ietf.org/html/draft-ietf-oauth-assertions<http://tools.ietf.org/html/draft-ietf-oauth-assertions->
>
> <http://tools.ietf.org/html/draft-ietf-oauth-assertions->Basically it is
> a way to do token translation. In some cases when interfacing with
> Enterprise systems getting them to issue a SAML token may be easier the
> simplest thing to do.
>
> The resource server (RS) however likely only understands a single access
> token form. GUID or JWT for the most part. The assertion profiles let the
> client translate a JWT or SAML assertion into a OAuth access token.
>
> This can be quite useful in crossing security domains where the AS is
> relying on a 3rd party to authenticate the user. The AS could redirect to
> a SAML IDP using websso but on mobile devices that might not be optimal.
>
> The scopes associated with the access token can be a subset of the ones
> granted by the SAML assertion. In some cases with multiple endpoints you
> may want to down scope the access token<http://tools.ietf.org/html/draft-ietf-oauth-assertions-13#section-4.1>
> .
>
> The biggest user of this flow is SalesForce as far as I know.
>
> John B.
>
> On Jan 23, 2014, at 3:46 PM, Peter Williams <home_pw at msn.com> wrote:
>
> It took me a while (and several years of lateness) to comprehend just what
> kind of world the classical oauth grants were designed for. One advantage
> of being late to the party was that I tended to get better variants, such
> as a grant returning a JWT bearing attributes rather than using grants that
> returnee guids as tokens - that had to be subsequently resolved.
>
> So what is the “use case” of the saml2 bearer assertion grant?
>
> I makes perfect sense that someone with a bearer assertion might swap it
> for a JWT, for use at APIs. And it makes perfect sense that such a saml
> assertion plays much the same role as a does possession of an
> optional renewal-token - the one native to an OAUTH handshake.
>
> But I don't see what the “generation changing” motivation is for the
> scopes - that the access token returns all scopes for which tokens (with
> renewals) have previous been issued.
>
> So what is the 'context’ of control being enabled here? What thing is this
> scope-aggregation feature working for?
>
>
> Sent from Surface Pro
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20140123/89ae2a73/attachment.html>
More information about the general
mailing list