IETF Logo Mail Archive

Re: [OAUTH-WG] Partially standardized format for access tokens?

Peter Saint-Andre <stpeter@stpeter.im> Fri, 04 June 2010 15:46 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DFCBF3A6957 for <oauth@core3.amsl.com>; Fri, 4 Jun 2010 08:46:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.249
X-Spam-Level:
X-Spam-Status: No, score=-1.249 tagged_above=-999 required=5 tests=[AWL=-0.509, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDdHbVYOuVkv for <oauth@core3.amsl.com>; Fri, 4 Jun 2010 08:46:03 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 4C9AC3A694A for <oauth@ietf.org>; Fri, 4 Jun 2010 08:46:03 -0700 (PDT)
Received: from squire.local (dsl-205-108.dynamic-dsl.frii.net [216.17.205.108]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C3A6C40E61 for <oauth@ietf.org>; Fri, 4 Jun 2010 09:45:48 -0600 (MDT)
Message-ID: <4C091FAB.5070603@stpeter.im>
Date: Fri, 04 Jun 2010 09:45:47 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: oauth@ietf.org
References: <AANLkTinQTV9JJPiftquRbvdqAOHxUXk7QQKCMrmQ4LLK@mail.gmail.com> <B549E6C4-A24D-4032-8A26-89ED58EBAA34@facebook.com> <4C090B6C.9030707@aol.com> <B6D1E6FF-D65F-4FD6-B148-C17550421FC9@facebook.com> <1275664996.7068.102.camel@localhost.localdomain>
In-Reply-To: <1275664996.7068.102.camel@localhost.localdomain>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050009090401070504030108"
Subject: Re: [OAUTH-WG] Partially standardized format for access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jun 2010 15:46:05 -0000

On 6/4/10 9:23 AM, Justin Richer wrote:
>> We should solve one problem at a time. It's easy to layer structure 
>> on top of an opaque blob in a separate spec. 
> 
> +1 to this. Token structure seems like a nice idea, but it's outside
> what should be dictated by the OAuth spec. We want people to be able to
> use OAuth to shuttle their existing tokens around, or create hexblobs
> that mean nothing to anyone else, or encode 37 fields in a structured
> format that's signed with a private key, or whatever else they want to
> do, and still have all of that be OAuth. If someone wants to say "we use
> OAuth and our tokens are UberTokens so they're compatible with everyone
> else", that's fine; but you should be fully able to do OAuth without
> adding *any* structure to your tokens whatsoever.

Agreed. And in true IETF fashion, I welcome those who care about this
issue to write an Internet-Draft. :)

BTW, it's possible that you might glean some interesting ideas from a
previous attempt to define an open token format (for cookies):

http://tools.ietf.org/html/draft-smith-opentoken-02

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.23.0 | Report a Bug | By Email