Re: [OAUTH-WG] Facebook, OAuth, and WRAP

Mike Malone <mjmalone@gmail.com> Mon, 30 November 2009 22:52 UTC

Return-Path: <mjmalone@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B5EBB3A68D8 for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 14:52:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKN0PN5lVM8h for <oauth@core3.amsl.com>; Mon, 30 Nov 2009 14:52:38 -0800 (PST)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id CD0C33A6861 for <oauth@ietf.org>; Mon, 30 Nov 2009 14:52:37 -0800 (PST)
Received: by qw-out-2122.google.com with SMTP id 9so837078qwb.31 for <oauth@ietf.org>; Mon, 30 Nov 2009 14:52:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yDjrMl1U3Tv2sgLwjYDjAmu+PNWmX96i1AO1ar7nB9A=; b=vpXNOBumr/SPwiFa1AIjfksw2DGrEifWth/c1ec5Yc0YyKHLviiJEFFSbhaCFmJaRQ 20j/Yp110NlRDdSW0mk712BmT0AbKngyTdpEUJ3nrNGAIEQJJwXZ+p6jSjKn1wESzJtz Zz0Lt97Fd5QOdj2rorGlUFhmvFwxIbGuHibag=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Br62vyZtrfpYhgrUIaXFDUTjNGsS8hlElZkfcV2iyZ23WqTiKkitiya+z/ykdCBHyG A6d5OdkoWMCXGpTw3QMSvbNUl4GLISl8gfdxi+8bQoXyklPqZRPHMHCQvDg3SFeXBTae zize8DID+x7QWG0iPWbWb3xOER2S8+EOeuaqg=
MIME-Version: 1.0
Received: by 10.229.92.68 with SMTP id q4mr390206qcm.94.1259621547153; Mon, 30 Nov 2009 14:52:27 -0800 (PST)
In-Reply-To: <daf5b9570911301349h1836c921o223837edd22e37d1@mail.gmail.com>
References: <148C596691F29F4EA6968577BE2CDFAE06A1B9FE@SC-MBXC1.TheFacebook.com> <a9d9121c0911241635p4f2cc394vefe350b2ce3daa22@mail.gmail.com> <C6B20C22-ED3A-4714-943F-FEA0A2347045@facebook.com> <a9d9121c0911301144l7b08ba9l6acd358c29ae2b09@mail.gmail.com> <daf5b9570911301349h1836c921o223837edd22e37d1@mail.gmail.com>
Date: Mon, 30 Nov 2009 14:52:27 -0800
Message-ID: <a9d9121c0911301452w70b80375id04c27884a9d5597@mail.gmail.com>
From: Mike Malone <mjmalone@gmail.com>
To: Brian Eaton <beaton@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>, Naitik Shah <naitik@facebook.com>, Luke Shepard <lshepard@facebook.com>
Subject: Re: [OAUTH-WG] Facebook, OAuth, and WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 22:52:38 -0000

On Mon, Nov 30, 2009 at 1:49 PM, Brian Eaton <beaton@google.com> wrote:
> On Mon, Nov 30, 2009 at 11:44 AM, Mike Malone <mjmalone@gmail.com> wrote:
>>> Good point about the tokens. One of us should make a list of all the terms
>>> in each spec, and then set up a mapping between the sets, to see if the
>>> number of concepts is really all that different.
>>
>> My informal list (from a cursory read of the spec):
>>  OAuth / WRAP
>>  Consumer / Client
>>  Request Token / Refresh Token
>
> WRAP has no equivalent of the request token.  The closest thing is the
> verification code.
>
>>  Access Token / Access Token
>>  Consumer Token / Client identifier & secret
>>  OAuth Verifier / Verification Code
>
> WRAP has a refresh token.  The closest OAuth analog is the session
> handle used in the scalable OAuth extension.

As far as I can tell, if we're treating everything as opaque strings,
the only real difference between a WRAP "refresh token" and an OAuth
"request token" is that a "refresh token" can be exchanged for an
"access token" multiple times in WRAP (since the access tokens
expire). Is there some other non-trivial difference that I'm missing?

Again, maybe I'm mistaken, but the verification code seems to be
included in WRAP to protect against the sort of session fixation
attack that OAuth 1.0 was susceptible to. In OAuth 1.0a the OAuth
Verifier was added to fix that vulnerability, which is why I said the
OAuth Verifier and WRAP Verification Code were essentially equivalent.

Mike