OAUTH Web Authentication Where the Protocol is and What’s Next (3C)

From IIW

Session Topic:OAUTH Web Authorization (T3C)

Convener: Barry Leiba, Hannes

Notes-taker(s): Kent Landfield

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The OAuth v2 draft has been approved by the working group is going thru final editing. RFC expected in Nov.

The working group needs to have a discussion on future work. This will require the working group to be re-chartered. It is hoped / expected that re-chartering will be complete by the end of the year.

Potential items to include in the next charter: More token types, token revocation, token type negotiation, UMA, discovery, User interface extensions - more handshaking between OpenID and OAuth work expected.

Discussion of better documentation of OpenID Connect as it pertains to Oauth.

Bearer token request ? Standard identity token? Structured with OpenID Connect? Discussion that there is a OAuth document that may cover most of this.

Phil, Mike discussed - is another layer needed for technologies that are not OpenID Connect? OAuth would need to carry authentication information and that is something that has been resisted by OAuth in the past. The first step is a new use case document to be written. Phil - that is coming

Show of hands of the number of people not involved in IETF OAuth work. Approximately 50% raised hands. Do you want to be ? Some discussion of participation means with mailing list activity proposed as a first step. There was definitely interest in doing so.

Discussion of whether or not OAuth should take the OpenID token format work.

JOSE - Javascript Object Signing andEncryption has agreed to take some work (see list below of breakout).

OAuth will take the OpenID token format work.

Dynamic registration a topic that may need to be included in OAuth. If so, OpenID will use it.

The following table lists the agreement of OpenID needs and IETF WG support moving forward: Mike put this on the whiteboard.

JWT - JSON Web Token

OAuth

JWS – JSON Web Signature

JOSE

JWE – JSON Web Encryption

JOSE

JWK - JSON Web Key

JOSE

SWD - Simple Web Discovery

OAuth

OAuth Assertions (Token type agnostic)

OAuth

OAuth SAML profile (Use Assertions)

OAuth

Token Revocation

OAuth

OAuth JWT profile (Use Assertions)

OAuth


Token Revocation focus was on well behaving clients needing to release tokens

Response serialization format - expired draft ?