IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header

"William Mills" <wmills@yahoo-inc.com> Thu, 15 July 2010 23:54 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B4DFB3A6833 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 16:54:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.358
X-Spam-Level:
X-Spam-Status: No, score=-17.358 tagged_above=-999 required=5 tests=[AWL=0.240, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ls0pV1Dpa465 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 16:54:23 -0700 (PDT)
Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by core3.amsl.com (Postfix) with ESMTP id 437E03A67E5 for <oauth@ietf.org>; Thu, 15 Jul 2010 16:54:23 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout3.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o6FNrpqI062664; Thu, 15 Jul 2010 16:53:51 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:x-mimeole:content-class:mime-version: content-type:subject:date:message-id:in-reply-to:x-ms-has-attach: x-ms-tnef-correlator:thread-topic:thread-index:references:from:to:cc:return-path:x-originalarrivaltime; b=ktK9+18R2QfQ34MYfIpZRLI8qSpaJ7fVPfKYrEGwu/h0VUYrcceGniL+SbSdA96M
Received: from SNV-EXVS08.ds.corp.yahoo.com ([207.126.227.8]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 15 Jul 2010 16:53:51 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CB2478.F93E883A"
Date: Thu, 15 Jul 2010 16:53:50 -0700
Message-ID: <012AB2B223CB3F4BB846962876F47217059B6CF0@SNV-EXVS08.ds.corp.yahoo.com>
In-Reply-To: <AANLkTikcllLVzOkJbSpZZI911F3IQxG0CYvvzTtQ30wG@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
Thread-Index: Acskdv6drazdAvkkTnSiqx+KYenAIQAAc1Ng
References: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com> <1279205969.18579.55.camel@localhost.localdomain><AANLkTildz62l2Me26Dlrv5nNmp8Z3P8JD1K-ChcWc5IO@mail.gmail.com> <AANLkTill8k-fUFt-IZLWdZinScj4fSBoI4rAiAf1PrYR@mail.gmail.com> <1279216291.18579.61.camel@localhost.localdomain><AANLkTikJymidRFzQf17Ssm-CCX7RLZ8Gu0_SZl_ocWdi@mail.gmail.com> <4C3F921E.7040304@lodderstedt.net> <AANLkTikcllLVzOkJbSpZZI911F3IQxG0CYvvzTtQ30wG@mail.gmail.com>
From: William Mills <wmills@yahoo-inc.com>
To: Naitik Shah <n@daaku.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
X-OriginalArrivalTime: 15 Jul 2010 23:53:51.0044 (UTC) FILETIME=[F97AC840:01CB2478]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 23:54:25 -0000

Sure, but it's not easy to early branch, you have to actually parse the
whole header.  It's also fragile if extensions are not careful.


________________________________

	From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
Behalf Of Naitik Shah
	Sent: Thursday, July 15, 2010 4:38 PM
	To: Torsten Lodderstedt
	Cc: oauth@ietf.org
	Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
	
	
	The formats for 1.0 and 2.0 are sufficiently different that it
is possible to unambiguously figure out what version is being used. 


	-Naitik
	
	
	On Thu, Jul 15, 2010 at 3:56 PM, Torsten Lodderstedt
<torsten@lodderstedt.net> wrote:
	

		where is the relation between token version and HTTP
authentication scheme version?
		
		regards,
		Torsten.
		
		Am 15.07.2010 23:34, schrieb Naitik Shah: 

			I though we'd come to a decision on the
versioning too :) IMHO, it's better to push this burden of versioning
into the token itself if necessary. I think it's better from a
developers perspective to pass an oauth_token, because it's cleaner.
Most deployments will already have versioned tokens to enable upgrading
these for internal changes, so why can't the OAuth version be contained
in there too? Given the option to simplify the implementation for a API
provider (Big Company, or someone who has to know how OAuth works) vs
API consumer (Developer, or someone who usually just wants some data), I
hope everyone agrees our focus should be the Developer. 

			While we (Facebook) didn't have OAuth 1.0 tokens
to deal with and so don't have the same backward compatibility issues,
we've already changed our tokens and introduced new ones a couple of
times and this had no impact on the parameter name being used.


			-Naitik
			
			
			On Thu, Jul 15, 2010 at 10:51 AM, Justin Richer
<jricher@mitre.org> wrote:
			

				It was discussed before, but I don't
remember there being any consensus
				in the group. What are the practical
reasons for not using "oauth2"
				namespacing in the one place we still
use namespacing? Most of what I've
				heard seems to sound like "I don't like
it to have a 2 on it".
				
				I don't want to have to set up the OAuth
2 system to have to catch
				failed cases of the OAuth 1 protocol. A
good OAuth 2 call and a bad
				OAuth 1 call should be distinguishable
from the start. Also, what about
				when we finally get a signed-request
going? I would assume that that's
				going to add back in things like
oauth_signature, oauth_nonce, and the
				other parameters whose absence you
should filter on.
				
				 -- Justin
				

				On Thu, 2010-07-15 at 13:37 -0400, David
Recordon wrote:
				> I thought this topic had been beaten
to death before. An OAuth 1.0
				> protected resource request includes a
variety of oauth_ parameters
				> whereas OAuth 2.0 just has
oauth_token.
				>
				>
				> --David
				>
				>
				> On Thu, Jul 15, 2010 at 10:12 AM,
Brian Eaton <beaton@google.com>
				> wrote:
				>         On Thu, Jul 15, 2010 at 7:59
AM, Justin Richer
				>         <jricher@mitre.org> wrote:
				>         > +1 on OAuth2 header, and I
also want to see oauth2_token in
				>         URI and form
				>         > parameter methods.
				>
				>
				>         Good point about the query
parameter names needing to be
				>         unambiguous.
				>
				>
_______________________________________________
				>         OAuth mailing list
				>         OAuth@ietf.org
				>
https://www.ietf.org/mailman/listinfo/oauth
				>
				>
				>
				
				
	
_______________________________________________
				OAuth mailing list
				OAuth@ietf.org
	
https://www.ietf.org/mailman/listinfo/oauth
				


			
			_______________________________________________
			OAuth mailing list
			OAuth@ietf.org
			https://www.ietf.org/mailman/listinfo/oauth

v2.39.1 | Report a Bug | By Email | System Status