(CC'ing both groups until George joins oauth-wrap-wg)
> In other profiles, we have the refresh token precisely so the user doesn't have to be involved every time the access token expires.
I don't expect the SAML profile to be used very often when a human
being is involved. If we've got SAML and a user in the picture, we're
almost certainly using the web SSO profile of SAML. Note that in that
case the client *never sees* the SAML assertion. All they know is
that they popped open a web browser to get user approval.
I do expect the SAML profile to be used in cases where no human being
is present, e.g. a cron job. For example:
- cron job wakes up, needs access to data
- local authentication context (e.g. kerberos, unix session, role
account password, IP address, ssh keys, or other magic security dust)
is used to talk to a SAML IdP
- SAML IdP returns a SAML authentication message
- SAML authentication message is swapped for an access token.
So no refresh token is needed; the ability to get long-lived access to
user data is provided by the local authentication context.
Cheers,
Brian
> (please move the rest of this conversation over to OAuth WRAP WG!)(CC'ing both groups until George joins oauth-wrap-wg)
I don't expect the SAML profile to be used very often when a human
> In other profiles, we have the refresh token precisely so the user doesn't have to be involved every time the access token expires.
being is involved. If we've got SAML and a user in the picture, we're
almost certainly using the web SSO profile of SAML. Note that in that
case the client *never sees* the SAML assertion. All they know is
that they popped open a web browser to get user approval.
I do expect the SAML profile to be used in cases where no human being
is present, e.g. a cron job. For example:
>
> Sorry for joining late...
>
> My thinking is that whether the response of an authorization request
> receives an AT and RT should be orthogonal to how the client
> authenticates it's request to the Authorization Server. If we don't
> force behavior into a specific profile, then it should be possible for
> the client to obtain a "token" (of any kind) and present it to the
> Authorization Server as the authentication token.
To clarify your point, you are commenting on how some profiles return
both an AT and an RT and some only an AT?
>
> I think Dick's proposal to write it up as a different profile probably
> makes the most sense. What might be nice is a protocol way to
> determine whether the client wants a user delegation profile or an
> autonomous client profile. Currently this seems to be determined by
> the input parameters to the Authorization Server. Maybe a simple
> parameter identifying the desired "profile" rather than inferring from
> input parameters would be all that is needed to support more use cases
> in the future.
I'd prefer to not add another parameter. Another option would be to
have different entry points depending on what gets returned, or
different entry points for each profile.
-- Dick
How the user authenticates to the AS in the Web App profile is out of
scope in WRAP, so you can do your scenario with the existing spec
unless I am misunderstaning something.
>>
>>> I think Dick's proposal to write it up as a different profile
>>> probably
>>> makes the most sense. What might be nice is a protocol way to
>>> determine whether the client wants a user delegation profile or an
>>> autonomous client profile. Currently this seems to be determined by
>>> the input parameters to the Authorization Server. Maybe a simple
>>> parameter identifying the desired "profile" rather than inferring
>>> from
>>> input parameters would be all that is needed to support more use
>>> cases
>>> in the future.
>>>
>>
>> I'd prefer to not add another parameter. Another option would be to
>> have different entry points depending on what gets returned, or
>> different entry points for each profile.
>>
> This is fine... Maybe we could use unique rel values (in XRD) to
> represent the two classes of profiles. This makes it easy from a
> deployment perspective to use different endpoints. That way whether
> the
> Authorization Server uses multiple endpoints or not is a deployment
> decision and still "transparent" to the client.
WRAP did not tackle discovery. Lots of good things happening there
that are complimentary.
Note that we are expecting advancement of OAuth WRAP to be in the IETF
OAuth WG. Adding a new profile would be fine to do here though.
-- Dick
Now I know I said there was no user involved, but role accounts are
people too. =)