Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
Eran Hammer <eran@hueniverse.com> Wed, 18 April 2012 03:28 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45CA111E80D7 for <apps-discuss@ietfa.amsl.com>; Tue, 17 Apr 2012 20:28:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYE4uF3b7yJO for <apps-discuss@ietfa.amsl.com>; Tue, 17 Apr 2012 20:28:44 -0700 (PDT)
Received: from p3plex2out04.prod.phx3.secureserver.net (p3plex2out04.prod.phx3.secureserver.net [184.168.131.18]) by ietfa.amsl.com (Postfix) with ESMTP id E24BC11E80D3 for <apps-discuss@ietf.org>; Tue, 17 Apr 2012 20:28:43 -0700 (PDT)
Received: from P3PWEX2HT002.ex2.secureserver.net ([184.168.131.10]) by p3plex2out04.prod.phx3.secureserver.net with bizsmtp id zFUj1i0010Dcg9U01FUjdW; Tue, 17 Apr 2012 20:28:43 -0700
Received: from P3PWEX2MB008.ex2.secureserver.net ([169.254.8.115]) by P3PWEX2HT002.ex2.secureserver.net ([184.168.131.10]) with mapi id 14.02.0247.003; Tue, 17 Apr 2012 20:28:43 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
Thread-Index: AQHNHLofIuyx/camh0qzKFNvw3YPcpafZDIAgAB5GYCAAA6pQA==
Date: Wed, 18 Apr 2012 03:28:43 +0000
Message-ID: <0CBAEB56DDB3A140BA8E8C124C04ECA2FEE3DF@P3PWEX2MB008.ex2.secureserver.net>
References: <4F866AC0.3000603@qualcomm.com> <01OE8FW1U53G00ZUIL@mauve.mrochek.com> <82462DAA-5118-4108-AA5C-FBEBBC563D4E@mnot.net> <01OE921YMRSW00ZUIL@mauve.mrochek.com> <4F8898A9.8020806@cs.tcd.ie> <22B64109-DAFD-4F2A-B1DA-5950E732882A@mnot.net> <4F88AA3A.8040401@cs.tcd.ie> <0CBAEB56DDB3A140BA8E8C124C04ECA2FE83A2@P3PWEX2MB008.ex2.secureserver.net> <0608087F-1F83-4D19-9BA2-F2C58ED33F31@gmail.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2FECDB0@P3PWEX2MB008.ex2.secureserver.net> <5837DDA7-19DC-4452-BD47-FFF6C674E179@gmail.com>
In-Reply-To: <5837DDA7-19DC-4452-BD47-FFF6C674E179@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [64.74.213.174]
Content-Type: multipart/alternative; boundary="_000_0CBAEB56DDB3A140BA8E8C124C04ECA2FEE3DFP3PWEX2MB008ex2se_"
MIME-Version: 1.0
Cc: Ned Freed <ned.freed@mrochek.com>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>, Apps Discuss <apps-discuss@ietf.org>, Mark Nottingham <mnot@mnot.net>, Pete Resnick <presnick@qualcomm.com>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 03:28:46 -0000
A site has a bunch of APIs. They want to use OAuth with Bearer tokens. They can no longer use the access_token parameter for their own use cases because the Bearer token specification creates a conflict. This conflict does not exist with the use of the header. It does exist with the use of the body if they have an access_token parameter already in use. The API format has nothing to do with OAuth, but the use of a query parameter leaks into that namespace. This isn't a critical issue. It is a hack - it has always been since it was introduced in OAuth 1.0. The issue raised was about web architecture in general and setting a precedence. I don't think it will likely to create real-world problems, but the same goes for not supporting this use case anymore (or at least explicitly marking it as deprecated, maybe even demoted to an appendix documenting historical use). While the violation of the provider namespace is a significant principal, I want to make sure my view isn't coming off as some severe warning. Either way, it is not a big deal IMO. EH From: Dick Hardt [mailto:dick.hardt@gmail.com] Sent: Tuesday, April 17, 2012 12:32 PM To: Eran Hammer Cc: Dick Hardt; Stephen Farrell; Mark Nottingham; Pete Resnick; Ned Freed; draft-ietf-oauth-v2-bearer.all@tools.ietf.org; Apps Discuss Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer Please elaborate on what the issue is then as protecting API resources is what OAuth is all about. On Apr 17, 2012, at 12:19 PM, Eran Hammer wrote: That has nothing to do with this issue. The protected resources API format was never part of OAuth at any time. EH From: Dick Hardt [mailto:dick.hardt@gmail.com]<mailto:[mailto:dick.hardt@gmail.com]> Sent: Tuesday, April 17, 2012 9:50 AM To: Eran Hammer Cc: Stephen Farrell; Mark Nottingham; Pete Resnick; Ned Freed; draft-ietf-oauth-v2-bearer.all@tools.ietf.org<mailto:draft-ietf-oauth-v2-bearer.all@tools.ietf.org>; Apps Discuss Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer On Apr 14, 2012, at 11:31 PM, Eran Hammer wrote: (Sticking with the naivety:-) So, what's different there from how the base oauth draft registers client_id and shows how that can be used in a GET request? [1] Big difference. The base draft specifies its own endpoints as part of a complete API package for obtaining authorization. These parameters are scoped only for the endpoints defined and not for any others. There is no possibility of conflict because the specification defines the entire namespace. OTOH, the bearer spec is applied to *any* web resources using OAuth authentication where some other namespace definition must exist. If we had kept it all in one spec as it had originally been drafted, this would not be an issue, and it would be easier for implementers to understand. I don't know of anyone looking to implement the bearer spec independent of the base spec. (would be interested if anyone does know of an implementation)
- [apps-discuss] Reserved URI query parameter in dr… Pete Resnick
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Julian Reschke
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Carsten Bormann
- Re: [apps-discuss] Reserved URI query parameter i… John C Klensin
- Re: [apps-discuss] Reserved URI query parameter i… Ned Freed
- Re: [apps-discuss] Reserved URI query parameter i… Tim Bray
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… Derek Atkins
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Stephen Farrell
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mike Jones
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… William Mills
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Eran Hammer
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Mark Nottingham
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt
- Re: [apps-discuss] Reserved URI query parameter i… Dick Hardt