Enterprise Signing in OAuth

From IIW
Revision as of 02:38, 16 November 2010 by IdentityWoman (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Session: Tuesday, Session 2, Space I

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Brian:  "I'm really happy with Oaut2, except for the signing...  Can we take section 5.3 of the spec and set it on fire?"

Problems seen:

  • HMAC covers the situation where people don't want to do SSL, but requires the whole ugly key management thing.  Brian proposes (with a long list of others interested) that we need public key signing.

  • The signing is not extensible, you can't add additional fields to the signature.  This seems to be a problem in the current spec.

  • New protocol substrates.

  • One signing choice doesn't seem enough.  Extensibility seems key here, can we do this with some form of discovery?

Proposed fixes:

  • Create a JSON blob we want signed.
    • an example...  does not require reconstruction of the string to be signed
    • BUT how do you verify the signed stuff is part of the request?
    • ALSO not great: duplication of data.

  • We need key versioning

    • Needs key discovery
    • Can use something liek https://<app>.appspot.com/.well-known/oauth or some such.
    • This might not work for folks that are white label, because there isn't a separate URL for all the entities that need to be discovered.
  • There is a google group for the OAuth Key Discovery spec.  See Brian's copy of the slides.
  • It's worthwhile to join the OAuth2 mailing list to comment on this.
  • This is a big discussion topic, I don't type that fast.
  • XKMS is again, good reference reading for this.


  • How does it work with firewalls -- in and out...

  • XMLDSIG is very similar to this, it would be worthwhile to learn from that.  Also CMS (Crypto Message Sig).
  • Does have the whole PKI problem.

  • Can we solve this with SSL?  SSL with client certs?  Maybe...
    • Much discussion here about how key excahnge and key management should work.

  • Comment -- If you want to sign arbitrary parts of an HTTP request then use SAML.  you don't really want to duplicate that here.

  • Need to make sure we get the key exchange right, if you try to put it in here people will get it wrong.

  •   KeyID/key discovery.
    •  comment: see XKMS for related reading.
    • keyID probably belongs in the envelope and not the payload (from his modified example.