[WRAP] WRAP in GSMA OneAPI
56 views
Skip to first unread message
Kevin Smith, Vodafone
May 4, 2010, 7:20:00 AM5/4/10
to OAuth WRAP WG
Dear OAUTH WRAP group,
My name is Kevin Smith of Vodafone R&D, and I lead a cross-mobile
operator project called OneAPI ('Open Network Enablers') [1]. The aim
is to provide a RESTful API to expose network functions such as
location, messaging, payments and more to developers; with the
reckoning that this will make it far easier to mash-up Web
applications with network capabilities and reduce the time to reach
all mobile subscribers in a territory. Thus far we have a live pilot
implementation across the 3 major Canadian operators [2] and a non-
commercial test site connected to
12 European operators [3], and will be releasing v1.0 specifications
backed by the OMA this month.
For the first release we did not attempt to prescribe an AAA model to
operators, instead leaving them to reuse their own SDP AAA
implementation for OneAPI. For our second phase now underway we would
like to provide a recommended reference implementation AAA model for
operators who are unsure how to allow secure API access whilst
allowing user consent and privacy to be respected. Therefore we have
discussed OAUTH as an ideal candidate that will be well-known to Web
developers.
My question regards the suitability of WRAP for such a reference
implementation: the decoupling of authentication is good sense and
would be welcome by operators, however it appears that WRAP is
deprecated and is intended to be replaced by OAUTH 2.0 - is that
right? Please could you provide any details on the plans for if/how
the two will interoperate? If it's at all possible, we would very much
welcome a member of the group to present on WRAP at one of our face-to-
face meetings in London - if that is of interest please let me know
and I can make arrangements.
Thanks for your time and look forward to your advice.
Kind regards,
Kevin
[1] http://www.gsmworld.com/oneapi
[2] http://canada.oneapi.gsmworld.com/
[3] http://oneapi.aepona.com/
Kevin Smith
Senior Technology Strategist, R&D
Vodafone Technology
E-mail: kevin...@vodafone.com
--
You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
To post to this group, send email to oauth-...@googlegroups.com.
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/oauth-wrap-wg?hl=en.
My name is Kevin Smith of Vodafone R&D, and I lead a cross-mobile
operator project called OneAPI ('Open Network Enablers') [1]. The aim
is to provide a RESTful API to expose network functions such as
location, messaging, payments and more to developers; with the
reckoning that this will make it far easier to mash-up Web
applications with network capabilities and reduce the time to reach
all mobile subscribers in a territory. Thus far we have a live pilot
implementation across the 3 major Canadian operators [2] and a non-
commercial test site connected to
12 European operators [3], and will be releasing v1.0 specifications
backed by the OMA this month.
For the first release we did not attempt to prescribe an AAA model to
operators, instead leaving them to reuse their own SDP AAA
implementation for OneAPI. For our second phase now underway we would
like to provide a recommended reference implementation AAA model for
operators who are unsure how to allow secure API access whilst
allowing user consent and privacy to be respected. Therefore we have
discussed OAUTH as an ideal candidate that will be well-known to Web
developers.
My question regards the suitability of WRAP for such a reference
implementation: the decoupling of authentication is good sense and
would be welcome by operators, however it appears that WRAP is
deprecated and is intended to be replaced by OAUTH 2.0 - is that
right? Please could you provide any details on the plans for if/how
the two will interoperate? If it's at all possible, we would very much
welcome a member of the group to present on WRAP at one of our face-to-
face meetings in London - if that is of interest please let me know
and I can make arrangements.
Thanks for your time and look forward to your advice.
Kind regards,
Kevin
[1] http://www.gsmworld.com/oneapi
[2] http://canada.oneapi.gsmworld.com/
[3] http://oneapi.aepona.com/
Kevin Smith
Senior Technology Strategist, R&D
Vodafone Technology
E-mail: kevin...@vodafone.com
--
You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
To post to this group, send email to oauth-...@googlegroups.com.
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/oauth-wrap-wg?hl=en.
David Recordon
May 6, 2010, 1:13:51 AM5/6/10
to OAuth WG, Blaine Cook
+OAuth IETF list
-WRAP list to BCC
OAuth 2.0 should be pretty simple for you to implement and any feedback your team has would be really appreciated! There are already implementations in Cocoa, Python, and Ruby list on the wiki at http://wiki.oauth.net/OAuth-2.0 and you find find the spec at http://tools.ietf.org/html/draft-hammer-oauth2-00.
You may also be interested in the mobile web implementation we've built at Facebook. http://developers.facebook.com/docs/guides/mobile/
I'm also cc'ing Blaine Cook who lives in Ireland and might be able to present.
Cheers,
--David
David Recordon
May 6, 2010, 2:50:28 AM5/6/10
to Manger, James H, OAuth WG, oauth-...@googlegroups.com
Updated on the wiki!
On Wed, May 5, 2010 at 11:48 PM, Manger, James H <James.H...@team.telstra.com> wrote:
draft-ietf-oauth-v2 is the current document.
http://tools.ietf.org/html/draft-ietf-oauth-v2
The IETF status page for the OAuth working group is a good place to point to:
http://tools.ietf.org/wg/oauth/
It links to the latest drafts, mailing list, etc.
(Eran’s individual submission draft-hammer-oauth2 became the IETF working group draft draft-ietf-oauth-v2)
David, would you like to update http://wiki.oauth.net/OAuth-2.0?
--
James Manger
Kevin Smith, Vodafone
May 6, 2010, 7:33:58 AM5/6/10
to OAuth WRAP WG
Thanks David - we'll take a look at OAuth 2.0 and how it can apply for
granting permission for a 3rd party to consume a user-relevant network
resource on a user's behalf. Good to hear you have bindings already;
it looks like Facebook also supports a JavaScript binding which would
fit nicely with OneAPI.
We'll keep you in touch with our findings, Blaine (or another member)
would be very welcome at one of our meetings to lead a discussion.
Best,
Kevin
On May 6, 7:50 am, David Recordon <record...@gmail.com> wrote:
> Updated on the wiki!
>
> On Wed, May 5, 2010 at 11:48 PM, Manger, James H <
>
>
>
> James.H.Man...@team.telstra.com> wrote:
> > draft-ietf-oauth-v2 is the current document.
>
> >http://tools.ietf.org/html/draft-ietf-oauth-v2
>
> > The IETF status page for the OAuth working group is a good place to point
> > to:
>
> >http://tools.ietf.org/wg/oauth/
>
> > It links to the latest drafts, mailing list, etc.
>
> > (Eran’s individual submission draft-hammer-oauth2 became the IETF working
> > group draft draft-ietf-oauth-v2)
>
> > David, would you like to updatehttp://wiki.oauth.net/OAuth-2.0?
>
> > --
>
> > James Manger
>
> > *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf
> > Of *David Recordon
> > *Sent:* Thursday, 6 May 2010 3:14 PM
> > *To:* OAuth WG; Blaine Cook
> > *Subject:* Re: [OAUTH-WG] [WRAP] WRAP in GSMA OneAPI
> > E-mail: kevin.sm...@vodafone.com
> > .
granting permission for a 3rd party to consume a user-relevant network
resource on a user's behalf. Good to hear you have bindings already;
it looks like Facebook also supports a JavaScript binding which would
fit nicely with OneAPI.
We'll keep you in touch with our findings, Blaine (or another member)
would be very welcome at one of our meetings to lead a discussion.
Best,
Kevin
On May 6, 7:50 am, David Recordon <record...@gmail.com> wrote:
> Updated on the wiki!
>
> On Wed, May 5, 2010 at 11:48 PM, Manger, James H <
>
>
>
> James.H.Man...@team.telstra.com> wrote:
> > draft-ietf-oauth-v2 is the current document.
>
> >http://tools.ietf.org/html/draft-ietf-oauth-v2
>
> > The IETF status page for the OAuth working group is a good place to point
> > to:
>
> >http://tools.ietf.org/wg/oauth/
>
> > It links to the latest drafts, mailing list, etc.
>
> > (Eran’s individual submission draft-hammer-oauth2 became the IETF working
> > group draft draft-ietf-oauth-v2)
>
> > David, would you like to updatehttp://wiki.oauth.net/OAuth-2.0?
>
> > --
>
> > James Manger
>
> > Of *David Recordon
> > *Sent:* Thursday, 6 May 2010 3:14 PM
> > *To:* OAuth WG; Blaine Cook
> > *Subject:* Re: [OAUTH-WG] [WRAP] WRAP in GSMA OneAPI
>
> > +OAuth IETF list
>
> > -WRAP list to BCC
>
> > Hi Kevin,
>
> > OAuth 2.0 should be pretty simple for you to implement and any feedback
> > your team has would be really appreciated! There are already implementations
> > in Cocoa, Python, and Ruby list on the wiki at
> >http://wiki.oauth.net/OAuth-2.0and you find find the spec at
> > +OAuth IETF list
>
> > -WRAP list to BCC
>
> > Hi Kevin,
>
> > OAuth 2.0 should be pretty simple for you to implement and any feedback
> > your team has would be really appreciated! There are already implementations
> > in Cocoa, Python, and Ruby list on the wiki at
> >http://tools.ietf.org/html/draft-hammer-oauth2-00.
>
> > You may also be interested in the mobile web implementation we've built at
> > Facebook.http://developers.facebook.com/docs/guides/mobile/
>
> > You may also be interested in the mobile web implementation we've built at
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "OAuth WRAP WG" group.
> > To post to this group, send email to oauth-...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > oauth-wrap-w...@googlegroups.com<oauth-wrap-wg%2Bunsu...@googlegroups.com>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "OAuth WRAP WG" group.
> > To post to this group, send email to oauth-...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/oauth-wrap-wg?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
> To post to this group, send email to oauth-...@googlegroups.com.
> To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
> For more options, visit this group athttp://groups.google.com/group/oauth-wrap-wg?hl=en.
> >http://groups.google.com/group/oauth-wrap-wg?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
> To post to this group, send email to oauth-...@googlegroups.com.
> To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
Kevin Smith
Jun 8, 2010, 12:31:02 PM6/8/10
to oauth-...@googlegroups.com, OAuth WG, Blaine Cook
Hi David, Blaine,
We (the OneAPI group) have been looking further into OAUTH 2.0 and would like to see how it can work in a mobile network scenario: for example, a desktop Web application wants to locate a mobile user to plot their location on a map. So the client is the Web application and the server is an HTTP platform sitting on top of the mobile core network.
It seems that the Web application could register a client ID and client secret with the OneAPI-implementing server. When location is requested by this client, the server would prompt the user, and if permission were received, would enable the client to access the location via an access token/secret.
One difference to the regular OAUTH flow is that 'post-pay' contract network subscribers would not have to enter a username/password to identify themselves since they would be implicitly identified on the network anyway; they would just need to confirm authorisation ('Allow/Block'). We are not sure how to handle pre-pay users that buy phone credits in advance.
In case either of you (or any other OAUTH expert) would be available to lead a discussion on the technology, and to answer questions from mobile operators and platform vendors, we are having a meeting next Tuesday in London. The meeting is also accessible over Webex. Please let me know if you would be willing to do so, as I'm sure it will help kick-start our implementation work.
Cheers!
Kevin
We (the OneAPI group) have been looking further into OAUTH 2.0 and would like to see how it can work in a mobile network scenario: for example, a desktop Web application wants to locate a mobile user to plot their location on a map. So the client is the Web application and the server is an HTTP platform sitting on top of the mobile core network.
It seems that the Web application could register a client ID and client secret with the OneAPI-implementing server. When location is requested by this client, the server would prompt the user, and if permission were received, would enable the client to access the location via an access token/secret.
One difference to the regular OAUTH flow is that 'post-pay' contract network subscribers would not have to enter a username/password to identify themselves since they would be implicitly identified on the network anyway; they would just need to confirm authorisation ('Allow/Block'). We are not sure how to handle pre-pay users that buy phone credits in advance.
In case either of you (or any other OAUTH expert) would be available to lead a discussion on the technology, and to answer questions from mobile operators and platform vendors, we are having a meeting next Tuesday in London. The meeting is also accessible over Webex. Please let me know if you would be willing to do so, as I'm sure it will help kick-start our implementation work.
Cheers!
Kevin
Reply all
Reply to author
Forward
0 new messages