Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints (OpenId comparison)
Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 17 April 2010 08:22 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B31153A6B04 for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 01:22:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Level:
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[AWL=-0.013, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9xr2XmoN94A for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 01:22:19 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by core3.amsl.com (Postfix) with ESMTP id CBD683A67FE for <oauth@ietf.org>; Sat, 17 Apr 2010 01:22:10 -0700 (PDT)
Received: from p4fff3dd0.dip.t-dialin.net ([79.255.61.208] helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O33Hk-0008IW-Vp; Sat, 17 Apr 2010 10:21:53 +0200
Message-ID: <4BC96F9E.3050208@lodderstedt.net>
Date: Sat, 17 Apr 2010 10:21:50 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <C7EE1BC4.32432%eran@hueniverse.com>
In-Reply-To: <C7EE1BC4.32432%eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="------------070800010303040201000008"
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints (OpenId comparison)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Apr 2010 08:22:27 -0000
sounds good. One question arose: OpenId has the same design challenge. There are direct calls, like "associate", as well as indirect calls, like "checkid_setup". OpenId uses a single endpoint on the OP and differentiate the request types via the openid.mode parameter. Does anyone know why OpenId want that way? Am 16.04.2010 22:51, schrieb Eran Hammer-Lahav: > I'll split them to: Authorization endpoint and Toke endpoint. In the > WWW-Authenticate header I'll add a parameter for each (instead of one) > for lightweight discovery (which we can keep, change, or drop later). > > EHL > > > On 4/15/10 6:22 PM, "James Manger" <James.H.Manger@team.telstra.com> > wrote: > > I strongly favour specifying 2 separate endpoints: one for where > to redirect a user, another for direct client calls. > > I agree with Marius that these two endpoints are different enough > to be separate. > One is only used by users via browsers. The other is only used by > client apps. These are different populations, using different > authentication mechanisms, with different performance > requirements, and different technologies. > > The use of a type parameter is a poor tool to distinguishes these > cases. > > I guess 1 URI could default to the other if not defined. > 1 URI could be allowed to be relative to the other to save some bytes. > > -- > James Manger > > > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On > Behalf Of Eran Hammer-Lahav > Sent: Friday, 16 April 2010 4:41 AM > To: OAuth WG > Subject: [OAUTH-WG] Issue: Split the authorization endpoint into > two endpoints > > OAuth 2.0 defines a single authorization endpoint with a 'type' > parameter > for the various flows and flow steps. There are two types of calls > made to > the authorization endpoint: > > - Requests for Access - requests in which an end user interacts > with the > authorization server, granting client access. > > - Requests for Token - requests in which the client uses a > verification code > or other credentials to obtain an access token. These requests require > SSL/TLS because they always result in the transmission of plaintext > credentials in the response and sometimes in the request. > > A proposal has been made to define two separate endpoints due to the > different nature of these endpoints: > > On 4/6/10 4:06 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote: > > > Constraints for endpoints: > > access token URL: HTTPS and POST only, no user > > user authentication URL: HTTP or HTTPS, GET or POST, > authenticated user > > > > In many cases the above constraints can be enforced with > configuration > > that sits in front of the controllers implementing these endpoints. > > For example, Apache config can enforce SSL and POST. Same can be done > > in a Java filter. Also a Java filter can enforce that only > > authenticated users hit the endpoint, it can redirect to a login page > > if needed. > > > > By keeping two different endpoints all of the above is much simpler. > > Nothing prevents an authz server to collapse these two into one > > endpoint. > > While requests for access do not require HTTPS, they should > because they > involve authenticating the end user. As for enforcing HTTP methods > (GET, > POST), this is simple to do both at the server configuration level or > application level. > > On the other hand, having a single endpoint makes the > specification simpler, > and more importantly, makes discovery trivial as a 401 response > needs to > include a single endpoint for obtaining a token regardless of the > flow (some > flows use one, others two steps). > > A richer discovery later can use LRDD on the single authorization > endpoint > to obtain an XRD describing the flows and UI options provided by > the server. > But this is outside our scope. > > Proposal: No change. Keep the single authorization endpoint and > require > HTTPS for all requests. > > EHL > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Issue: Split the authorization endpoin… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… David Recordon
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… John Kemp
- Re: [OAUTH-WG] Issue: Split the authorization end… Justin Richer
- Re: [OAUTH-WG] Issue: Split the authorization end… Luke Shepard
- Re: [OAUTH-WG] Issue: Split the authorization end… Evan Gilbert
- Re: [OAUTH-WG] Issue: Split the authorization end… David Recordon
- Re: [OAUTH-WG] Issue: Split the authorization end… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… Marius Scurtescu
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Split the authorization end… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Split the authorization end… Luke Shepard
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt