Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme
John Bradley <ve7jtb@ve7jtb.com> Thu, 17 November 2011 13:34 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A1211E80AD for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 05:34:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.497
X-Spam-Level:
X-Spam-Status: No, score=-3.497 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fm1DgpxR25P6 for <oauth@ietfa.amsl.com>; Thu, 17 Nov 2011 05:34:41 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id EE6D911E8135 for <oauth@ietf.org>; Thu, 17 Nov 2011 05:34:40 -0800 (PST)
Received: by ywt34 with SMTP id 34so1241372ywt.31 for <oauth@ietf.org>; Thu, 17 Nov 2011 05:34:40 -0800 (PST)
Received: by 10.236.128.226 with SMTP id f62mr9137690yhi.104.1321536880460; Thu, 17 Nov 2011 05:34:40 -0800 (PST)
Received: from [192.168.1.2] ([190.22.90.255]) by mx.google.com with ESMTPS id c10sm5972628yhj.2.2011.11.17.05.34.35 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 17 Nov 2011 05:34:39 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <F58CC695-90E7-4B42-9ACB-6B661CBBEB51@cisco.com>
Date: Thu, 17 Nov 2011 10:34:33 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1F5ABFF-81A4-4A1C-8E69-84AFD7AD71CB@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B16804296739435F7217BB@TK5EX14MBXC285.redmond.corp.microsoft.com> <F58CC695-90E7-4B42-9ACB-6B661CBBEB51@cisco.com>
To: Matt Miller <mamille2@cisco.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 13:34:41 -0000
Unless I am missing something this is about the HTTP authentication scheme that the protected resource MUST support. Token type is a bit of a misdirection. While it would be possible to use some profile of bearer with those other protocols, making a specific HTTP binding of MAC or Bearer MTI would preclude ever having a conforming version for SMTP. Not that there aren't other HTTP specific things in the spec that may also be an issue. I don't think that having a MTI token type/http authentication scheme alone gets us interoperability. I don't even know if OAuth 2.0 interoperability between two unrelated systems is a goal. Other specs like OpenID Connect have that goal. If I have to pick one authentication scheme as MTI for the protected resource it would be Bearer. John B. On 2011-11-17, at 6:24 AM, Matt Miller wrote: > Further clarification (-: This is not (or shortly will not be) limited to HTTP. There is work to use OAUTH over SASL, which opens it up to a much much broader audience (e.g. IMAP, SMTP, and XMPP). > >> 1. Should we specify some token type as mandatory to implement? Why or why not (*briefly*)? > > Yes. I believe it is necessary to provide a baseline for implementors, and will help make the "80% rule" easier; if "everyone" supports <x> then I will find client, authorization, and resource software that will "just work". I think this becomes even more important as OAuth is used with well-established resource servers (e.g. cloud-based XMPP service). > >> >> 2. If we do specify one, which token type should it be? >> > > I personally am ambivalent. > > On Nov 17, 2011, at 16:32, Mike Jones wrote: > >> Terminology correction: This discussion was actually about HTTP authentication schemes (Bearer, MAC, etc.), not token types (JWT, SAML, etc.). I've changed the subject line of the thread accordingly. >> >> -- Mike >> >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Barry Leiba >> Sent: Thursday, November 17, 2011 12:29 AM >> To: oauth WG >> Subject: [OAUTH-WG] Mandatory-to-implement token type >> >> Stephen, as AD, brought up the question of mandatory-to-implement token types, in the IETF 82 meeting. There was some extended discussion on the point: >> >> - Stephen is firm in his belief that it's necessary for interoperability. He notes that mandatory to *implement* is not the same as mandatory to *use*. >> - Several participants believe that without a mechanism for requesting or negotiating a token type, there is no value in having any type be mandatory to implement. >> >> Stephen is happy to continue the discussion on the list, and make his point clear. In any case, there was clear consensus in the room that we *should* specify a mandatory-to-implement type, and that that type be bearer tokens. This would be specified in the base document, and would make a normative reference from the base doc to the bearer token doc. >> >> We need to confirm that consensus on the mailing list, so this starts the discussion. Let's work on resolving this over the next week or so, and moving forward: >> >> 1. Should we specify some token type as mandatory to implement? Why or why not (*briefly*)? >> >> 2. If we do specify one, which token type should it be? >> >> Barry, as chair >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > - m&m > > Matt Miller - <mamille2@cisco.com> > Collaboration Software Group - Cisco Systems, Inc. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… Mike Jones
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… Matt Miller
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… Anthony Nadalin
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… John Bradley
- Re: [OAUTH-WG] Mandatory-to-implement HTTP authen… William Mills