IETF Logo Mail Archive

Re: [OAUTH-WG] Change grant_type="none" to something less confusing

"Manger, James H" <James.H.Manger@team.telstra.com> Tue, 20 July 2010 01:25 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70A3E3A68DE for <oauth@core3.amsl.com>; Mon, 19 Jul 2010 18:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-FMVcHU903E for <oauth@core3.amsl.com>; Mon, 19 Jul 2010 18:25:40 -0700 (PDT)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by core3.amsl.com (Postfix) with ESMTP id CAA3C3A6885 for <oauth@ietf.org>; Mon, 19 Jul 2010 18:25:38 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.55,229,1278252000"; d="scan'208";a="6226283"
Received: from unknown (HELO ipcdni.tcif.telstra.com.au) ([10.97.216.212]) by ipobni.tcif.telstra.com.au with ESMTP; 20 Jul 2010 11:25:49 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6048"; a="4773262"
Received: from wsmsg3704.srv.dir.telstra.com ([172.49.40.197]) by ipcdni.tcif.telstra.com.au with ESMTP; 20 Jul 2010 11:25:52 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3704.srv.dir.telstra.com ([172.49.40.197]) with mapi; Tue, 20 Jul 2010 11:25:51 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: OAuth WG <oauth@ietf.org>
Date: Tue, 20 Jul 2010 11:26:25 +1000
Thread-Topic: [OAUTH-WG] Change grant_type="none" to something less confusing
Thread-Index: AcsnicRurGipo9LwR6iF/u6jNWkW2gAFpz1w
Message-ID: <255B9BB34FB7D647A506DC292726F6E11266423B3A@WSMSG3153V.srv.dir.telstra.com>
References: <1279297826.11628.61.camel@localhost.localdomain> <AANLkTinRE0My8GRTVrBM9cwyCWgrpeYQzul3YBp_Z-8A@mail.gmail.com> <AANLkTim_GpxKx2G6FQN9TGwMYxnRv4N7pOo7Yo3g2s6c@mail.gmail.com> <AANLkTinDwGDYq4IYA9BKJakdEMnR8FbruTqR4i_zS88p@mail.gmail.com> <AANLkTinbbIJ03UPFWibPJC569ckseU33Tnyf-1BYRGj2@mail.gmail.com> <AANLkTimfdpugQSgTMUPtLy-xOMIB-dJ4E8IMzB5EwU6R@mail.gmail.com> <AANLkTintmqhY1PY51h4DcXEI0r3FQmIB92pP3vykPQrw@mail.gmail.com> <3AF1FD6F-2178-42ED-833C-D93C534DDA8A@hueniverse.com> <AANLkTindn2UOcqWz410_UnyAORe58_XpXQKcy5sMt_pF@mail.gmail.com> <AA83846D-1817-4B51-9F3E-CA9DD91862D6@facebook.com> <AANLkTinrz-KCjHpeUCnDpJhRGRCHoY_nl3fKgNgivoxi@mail.gmail.com> <81CECB0D-6AFE-4E21-9211-86648FC6EAA8@hueniverse.com> <1279559831.6181.17.camel@localhost.localdomain> <AANLkTiliwXhXDmhW2Va_VZ_LPlPj0Ryg12QzHPtH7xCP@mail.gmail.com>
In-Reply-To: <AANLkTiliwXhXDmhW2Va_VZ_LPlPj0Ryg12QzHPtH7xCP@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Change grant_type="none" to something less confusing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2010 01:25:41 -0000

grant_type=client_credential sounds ok.
An even better approach to addressing the discussions about grant_type and assertions would be to focus on the *token response* as a standalone media type, instead of focusing on a common token endpoint.

I don't think requiring the same token endpoint for the different flows is actually that helpful for anyone -- and it has caused confusion/complexity by *coupling* a variety of quite disparate flows (with a continuing debate on what is core vs extension).
Any particular app is likely to only be interested in one section 4 flow ("Obtaining an access token").
Services are free to use a common base URI for any section 4 flows even if that commonality isn't required by the spec.

A common token URI might help if there was a single way to discover it for all flows. So far there isn't, and I doubt there needs to be, nor should be.
Discovering a token endpoint by itself is not that useful. A client needs to know which flows work at that endpoint. Was discovery mentions a specific flow, it may as well provide the endpoint for that flow.

* The token endpoint to send an authorization code could be "discovered" from the code itself (make the code a URI).
* The token endpoint for an assertion flow could be discovered in the same place that describes the required assertion profile -- perhaps WS-MetadataExchange?
* The token endpoint to refresh a token should be discovered when the token is initially provided (ie as part of the token response media type -- make the token info self-descriptive).
* The token endpoint for a client to use on its own behalf should be provided as part of the signal that says the client needs to make this swap (eg a WWW-Auth response, either the same or different from the WWW-Auth response signalling user-delegation is supported).


draft-campbell-oauth-saml, for instance, could define an HTTP request with assertion_type and assertion parameters, and state that the result uses the token response media type. The media type is a cleaner dividing line between draft-campbell-oauth-saml and OAuth2 core.


-- 
James Manger

v2.23.0 | Report a Bug | By Email