IETF Logo Mail Archive

Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer

Dick Hardt <dick.hardt@gmail.com> Wed, 18 April 2012 17:15 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C237D21F8572 for <apps-discuss@ietfa.amsl.com>; Wed, 18 Apr 2012 10:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.538
X-Spam-Level:
X-Spam-Status: No, score=-3.538 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tkNlgvIiBRib for <apps-discuss@ietfa.amsl.com>; Wed, 18 Apr 2012 10:15:24 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5F0F921F854D for <apps-discuss@ietf.org>; Wed, 18 Apr 2012 10:15:23 -0700 (PDT)
Received: by pbbrp16 with SMTP id rp16so7150825pbb.31 for <apps-discuss@ietf.org>; Wed, 18 Apr 2012 10:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=UCOeTKagB1X5QbRhVir6Mab7kiQSihmZh5DXcTF1Wbo=; b=pDDjgy+GJySkLnDG8Fs2wTgQTZu0BN1EK+2nawT2gQxtYLYPX52Cec00xIBxusbWq8 m7ELY0ezj66kVpwy5yjeh1pPU/HCIWqUaOIxSvGsfEUv12eg6tVzYJTR2oxuVE1zpfJl DgL13FzdNxmoQQW+pW0cOrjLBPdTIfmEemeiDZbYifnv0+nOngbH3icDbxUPn8eLthc4 7pSPEovB+hiVmFVdGJnXTKJgjgxFixPWHlUY2a9t0w1yQ5HqIhmQpRU9H/JM7Gm53mvS fuQ1UeDH5Th8J30vjYZRYUZo3GTe29uKfviPcgmzBGq6SJIB9xD9lmgsqZqsMWxKM1L9 TGZA==
Received: by 10.68.224.195 with SMTP id re3mr7678904pbc.90.1334769323046; Wed, 18 Apr 2012 10:15:23 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id r10sm24218574pbf.22.2012.04.18.10.15.20 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 18 Apr 2012 10:15:21 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_8140DBB1-56E7-42A6-8C50-4BA937AF3D3B"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <1334764209.89788.YahooMailNeo@web31813.mail.mud.yahoo.com>
Date: Wed, 18 Apr 2012 10:15:18 -0700
Message-Id: <A3D05096-5833-49D3-9ABD-835773897E8A@gmail.com>
References: <4F866AC0.3000603@qualcomm.com> <01OE8FW1U53G00ZUIL@mauve.mrochek.com> <82462DAA-5118-4108-AA5C-FBEBBC563D4E@mnot.net> <01OE921YMRSW00ZUIL@mauve.mrochek.com> <4F8898A9.8020806@cs.tcd.ie> <22B64109-DAFD-4F2A-B1DA-5950E732882A@mnot.net> <4F88AA3A.8040401@cs.tcd.ie> <0CBAEB56DDB3A140BA8E8C124C04ECA2FE83A2@P3PWEX2MB008.ex2.secureserver.net> <0608087F-1F83-4D19-9BA2-F2C58ED33F31@gmail.com> <0CBAEB56DDB3A140BA8E8C124C04ECA2FECDB0@P3PWEX2MB008.ex2.secureserver.net> <5837DDA7-19DC-4452-BD47-FFF6C674E179@gmail.com> <1334764209.89788.YahooMailNeo@web31813.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1257)
X-Mailman-Approved-At: Thu, 19 Apr 2012 07:48:55 -0700
Cc: Ned Freed <ned.freed@mrochek.com>, Apps Discuss <apps-discuss@ietf.org>, "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>, Mark Nottingham <mnot@mnot.net>, Pete Resnick <presnick@qualcomm.com>
Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 17:15:26 -0000

A useful distinction that I had not previously understood, thanks.

On Apr 18, 2012, at 8:50 AM, William Mills wrote:

> OAuth 2.0 is different from 1.0(and a) in that it's an auth framework that deals with getting the tokens, but leaves the use of them to the companion specs.  I think this is what Eran is driving at, in the purest semantic sense.  The OAuth 2.0 API doesn't deal with protected resources at all though, and the discussion about query parameters is all about the protected resource.
> 
> 
> From: Dick Hardt <dick.hardt@gmail.com>
> To: Eran Hammer <eran@hueniverse.com> 
> Cc: Ned Freed <ned.freed@mrochek.com>; Apps Discuss <apps-discuss@ietf.org>; "draft-ietf-oauth-v2-bearer.all@tools.ietf.org" <draft-ietf-oauth-v2-bearer.all@tools.ietf.org>; Mark Nottingham <mnot@mnot.net>; Pete Resnick <presnick@qualcomm.com>; Dick Hardt <dick.hardt@gmail.com> 
> Sent: Tuesday, April 17, 2012 12:31 PM
> Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
> 
> Please elaborate on what the issue is then as protecting API resources is what OAuth is all about. 
> 
> On Apr 17, 2012, at 12:19 PM, Eran Hammer wrote:
> 
>> That has nothing to do with this issue. The protected resources API format was never part of OAuth at any time.
>>  
>> EH
>>  
>> From: Dick Hardt [mailto:dick.hardt@gmail.com] 
>> Sent: Tuesday, April 17, 2012 9:50 AM
>> To: Eran Hammer
>> Cc: Stephen Farrell; Mark Nottingham; Pete Resnick; Ned Freed; draft-ietf-oauth-v2-bearer.all@tools.ietf.org; Apps Discuss
>> Subject: Re: [apps-discuss] Reserved URI query parameter in draft-ietf-oauth-v2-bearer
>>  
>>  
>> On Apr 14, 2012, at 11:31 PM, Eran Hammer wrote:
>> 
>> 
>> (Sticking with the naivety:-) So, what's different there from how the base
>> oauth draft registers client_id and shows how that can be used in a GET
>> request? [1]
>> 
>> Big difference. The base draft specifies its own endpoints as part of a complete API package for obtaining authorization. These parameters are scoped only for the endpoints defined and not for any others. There is no possibility of conflict because the specification defines the entire namespace.
>> 
>> OTOH, the bearer spec is applied to *any* web resources using OAuth authentication where some other namespace definition must exist.
>>  
>>  
>> If we had kept it all in one spec as it had originally been drafted, this would not be an issue, and it would be easier for implementers to understand. I don't know of anyone looking to implement the bearer spec independent of the base spec. (would be interested if anyone does know of an implementation)
> 
> 
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
> 
>

v2.23.0 | Report a Bug | By Email