Re: [OAUTH-WG] oauth-bearer and rfc 2617/httpbis authentication framework
Julian Reschke <julian.reschke@gmx.de> Mon, 23 July 2012 07:57 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E875921F8694 for <ietf@ietfa.amsl.com>; Mon, 23 Jul 2012 00:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.136
X-Spam-Level:
X-Spam-Status: No, score=-105.136 tagged_above=-999 required=5 tests=[AWL=-2.538, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rtyr6jfN5z9 for <ietf@ietfa.amsl.com>; Mon, 23 Jul 2012 00:57:14 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id E827A21F8517 for <ietf@ietf.org>; Mon, 23 Jul 2012 00:57:13 -0700 (PDT)
Received: (qmail invoked by alias); 23 Jul 2012 07:57:12 -0000
Received: from p5DD97081.dip.t-dialin.net (EHLO [192.168.178.36]) [93.217.112.129] by mail.gmx.net (mp069) with SMTP; 23 Jul 2012 09:57:12 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+Cy2Bcl3+Crwy6BdDcCRFiSgTPGXsCs/AA/hZ6Ec yCG9btavvqelDY
Message-ID: <500D03C9.9030305@gmx.de>
Date: Mon, 23 Jul 2012 09:56:57 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [OAUTH-WG] oauth-bearer and rfc 2617/httpbis authentication framework
References: <500C7FD1.4050408@cs.tcd.ie>
In-Reply-To: <500C7FD1.4050408@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>, IETF-Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2012 07:57:15 -0000
On 2012-07-23 00:33, Stephen Farrell wrote: > > Hi all, > > I'd like to check that some recent minor changes to this > document [1] don't cause technical or process-grief. > > The version [2] of the oauth bearer draft that underwent > IETF LC and IESG evaluation had a normative dependency > on the httpbis wg's authentication framework. [3] > > After resolving IESG discuss positions the authors and > wg chairs felt that it would be better to replace the > normative reference to the httpbis wg draft [3] with one > to RFC 2617 [4] so that the OAuth drafts wouldn't be held > in the RFC editor queue waiting on the httpbis wg to get > done. > > I believe there is no impact on interop resulting from > this change but there has been some disagreement about > making it and how it was made. After some offlist discussion > I think we now have an RFC editor note [5] that means that > the current scheme of referring to RFC 2617 is ok. > ... Quoting: > NEW: > > The "Authorization" header for this scheme follows the usage > of the Basic scheme [RFC2617]. Note that, as with Basic, this > is compatible with the the general authentication framework > being developed for HTTP 1.1 [I-D.ietf-httpbis-p7-auth], though > does not follow the preferred practice outlined therein in > order to reflect existing deployments. The syntax for Bearer > credentials is as follows: That helps, but it still hides the fact that the syntax is not compatible with the RFC 2617 framework. Also, s/header/header field/ Proposal: "The syntax of the "Authorization" header field for this scheme follows the usage of the Basic scheme defined in Section 2 of [RFC2617]. Note that, as with Basic, it does not conform to the generic syntax defined in Section 1.2 of [RFC2617], but that it is compatible with the the general authentication framework being developed for HTTP 1.1 [I-D.ietf-httpbis-p7-auth], although it does not follow the preferred practice outlined therein in order to reflect existing deployments. The syntax for Bearer credentials is as follows: ..." Best regards, Julian
- oauth-bearer and rfc 2617/httpbis authentication … Stephen Farrell
- Re: [OAUTH-WG] oauth-bearer and rfc 2617/httpbis … Julian Reschke
- Re: [OAUTH-WG] oauth-bearer and rfc 2617/httpbis … Stephen Farrell