IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints (OpenId comparison)

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 17 April 2010 08:22 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B31153A6B04 for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 01:22:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Level:
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[AWL=-0.013, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9xr2XmoN94A for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 01:22:19 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by core3.amsl.com (Postfix) with ESMTP id CBD683A67FE for <oauth@ietf.org>; Sat, 17 Apr 2010 01:22:10 -0700 (PDT)
Received: from p4fff3dd0.dip.t-dialin.net ([79.255.61.208] helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O33Hk-0008IW-Vp; Sat, 17 Apr 2010 10:21:53 +0200
Message-ID: <4BC96F9E.3050208@lodderstedt.net>
Date: Sat, 17 Apr 2010 10:21:50 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <C7EE1BC4.32432%eran@hueniverse.com>
In-Reply-To: <C7EE1BC4.32432%eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="------------070800010303040201000008"
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints (OpenId comparison)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Apr 2010 08:22:27 -0000

sounds good.

One question arose: OpenId has the same design challenge. There are 
direct calls, like "associate", as well as indirect calls, like 
"checkid_setup". OpenId uses a single endpoint on the OP and 
differentiate the request types via the openid.mode parameter.

Does anyone know why OpenId want that way?

Am 16.04.2010 22:51, schrieb Eran Hammer-Lahav:
> I'll split them to: Authorization endpoint and Toke endpoint. In the 
> WWW-Authenticate header I'll add a parameter for each (instead of one) 
> for lightweight discovery (which we can keep, change, or drop later).
>
> EHL
>
>
> On 4/15/10 6:22 PM, "James Manger" <James.H.Manger@team.telstra.com> 
> wrote:
>
>     I strongly favour specifying 2 separate endpoints: one for where
>     to redirect a user, another for direct client calls.
>
>     I agree with Marius that these two endpoints are different enough
>     to be separate.
>     One is only used by users via browsers. The other is only used by
>     client apps. These are different populations, using different
>     authentication mechanisms, with different performance
>     requirements, and different technologies.
>
>     The use of a type parameter is a poor tool to distinguishes these
>     cases.
>
>     I guess 1 URI could default to the other if not defined.
>     1 URI could be allowed to be relative to the other to save some bytes.
>
>     --
>     James Manger
>
>
>     -----Original Message-----
>     From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>     Behalf Of Eran Hammer-Lahav
>     Sent: Friday, 16 April 2010 4:41 AM
>     To: OAuth WG
>     Subject: [OAUTH-WG] Issue: Split the authorization endpoint into
>     two endpoints
>
>     OAuth 2.0 defines a single authorization endpoint with a 'type'
>     parameter
>     for the various flows and flow steps. There are two types of calls
>     made to
>     the authorization endpoint:
>
>     - Requests for Access - requests in which an end user interacts
>     with the
>     authorization server, granting client access.
>
>     - Requests for Token - requests in which the client uses a
>     verification code
>     or other credentials to obtain an access token. These requests require
>     SSL/TLS because they always result in the transmission of plaintext
>     credentials in the response and sometimes in the request.
>
>     A proposal has been made to define two separate endpoints due to the
>     different nature of these endpoints:
>
>     On 4/6/10 4:06 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote:
>
>     > Constraints for endpoints:
>     > access token URL: HTTPS and POST only, no user
>     > user authentication URL: HTTP or HTTPS, GET or POST,
>     authenticated user
>     >
>     > In many cases the above constraints can be enforced with
>     configuration
>     > that sits in front of the controllers implementing these endpoints.
>     > For example, Apache config can enforce SSL and POST. Same can be done
>     > in a Java filter. Also a Java filter can enforce that only
>     > authenticated users hit the endpoint, it can redirect to a login page
>     > if needed.
>     >
>     > By keeping two different endpoints all of the above is much simpler.
>     > Nothing prevents an authz server to collapse these two into one
>     > endpoint.
>
>     While requests for access do not require HTTPS, they should
>     because they
>     involve authenticating the end user. As for enforcing HTTP methods
>     (GET,
>     POST), this is simple to do both at the server configuration level or
>     application level.
>
>     On the other hand, having a single endpoint makes the
>     specification simpler,
>     and more importantly, makes discovery trivial as a 401 response
>     needs to
>     include a single endpoint for obtaining a token regardless of the
>     flow (some
>     flows use one, others two steps).
>
>     A richer discovery later can use LRDD on the single authorization
>     endpoint
>     to obtain an XRD describing the flows and UI options provided by
>     the server.
>     But this is outside our scope.
>
>     Proposal: No change. Keep the single authorization endpoint and
>     require
>     HTTPS for all requests.
>
>     EHL
>
>
>
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email