OIDC Survey Working Group

[David Walker <>]

Very interesting, Steve.   Probably out of scope for our survey group, but here are some thoughts.

I notice that the newer RFC addresses impersonation, as well as delegation.  I wonder what the use case is that couldn't be satisfied with delegation, since, as far as I can tell, delegation is impersonation plus a record of who's impersonating.

David

On 01/12/2017 06:58 AM, Steven Carmody wrote:

Hi,

we were chatting about this sort of functionality on last friday's call ..... interesting

The MITRED OIDC/OAuth2 implementation is a very popular open source implementation. Justin seems to be the primary implementer.

The first rfc says in its abstract:

> This document provides a method for a resource server to present a
>    token that it has received from a client back to its authorization
>    server for the purposes of receiving a derivative token for use on
>    another resource server in order to chain together service requests.

That's what I'm looking for. But, that info rfc is long expired.

The second rfc is authored by the usual set of OAuth2 suspects, including Mike Jones, Tony Nadalin, John Bradley, etc. It re-introduces our old friend the STS from the WS protocols:

>  This specification defines a protocol for an HTTP- and JSON- based
>    Security Token Service (STS) by defining how to request and obtain
>    security tokens from OAuth 2.0 authorization servers, including
>    security tokens employing impersonation and delegation.

The second rfc is active, tho.


-------- Forwarded Message --------
Subject: Re: [mitreid-connect] token chaining ....
Date: Tue, 10 Jan 2017 14:03:17 -0500
From: Justin Richer
To: Steven Carmody
CC:

MITREid Connect currently implements this expired draft for token chaining:

https://tools.ietf.org/html/draft-richer-oauth-chain-00

The OAuth Working Group is currently working on something with similar (but much more complicated) functionality:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-06

Nothing is published as an RFC yet.
 — Justin

On Jan 9, 2017, at 3:18 PM, Steven Carmody wrote:

Hi,

The MITRED documentation says that it supports token chaining -- but I'm
having trouble finding a current rfc that describes this
protocol/profile .... is there one ? Is there a description of what the
package supports for token chaining, and an example of how to use it ?

thanks !
_______________________________________________
mitreid-connect mailing list

http://mailman.mit.edu/mailman/listinfo/mitreid-connect

Attachment: signature.asc
Description: OpenPGP digital signature