Re: [OAUTH-WG] 2 Leg with OAuth 2.0

William Mills <> Tue, 29 November 2011 20:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CBD5E1F0CA6 for <>; Tue, 29 Nov 2011 12:59:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -16.995
X-Spam-Status: No, score=-16.995 tagged_above=-999 required=5 tests=[AWL=0.603, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oY1db2kc74zD for <>; Tue, 29 Nov 2011 12:59:13 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 73B751F0CAB for <>; Tue, 29 Nov 2011 12:59:13 -0800 (PST)
Received: from [] by with NNFMP; 29 Nov 2011 20:59:10 -0000
Received: from [] by with NNFMP; 29 Nov 2011 20:59:10 -0000
Received: from [] by with NNFMP; 29 Nov 2011 20:59:10 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 32957 invoked by uid 60001); 29 Nov 2011 20:59:09 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ginc1024; t=1322600349; bh=2iW5F3qlnA+oPeyxw42VOBpzUN2ZML1dMrY9ZdML+lk=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Vp3nnJPNHXwoUc4B4ImwaA6qy17GBb0ZvimPU/K56ofYlDVGg0O4OuSsYjGEyuv2LmWFfPae3jml5+ff/LZTceOhZMw4a3DBXB3mRVAmArvWXhNpomgLdQWC3wwIHblfbgACJp2szLcJy00hnhg4II1qyhHSZ5FMnR21UC3C1+g=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024;; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=sjbAmKkjtWTBmfkLDhbrpk+NBbihRGU4JCk0oIz6ZH3BYiYXpUTkJsSiqv/4uoi3dtDcxqTvMeLAzVwPOx350pbR8Bh3t50QkYqB49H9acFbwWQ9BLxKeUImIg+oPk4ncqwwws8nzOphG+gXNsLu7Pe/GfSU1a5i7QTEjcViQ54=;
X-YMail-OSG: nVgJ_qwVM1kfIGGV0rmZ4dBEWIpv8bI8q0MakvtNEl8PFF1 _s3Nd00wm0gzcGYBTi3YjPUXk6LB9jjenxCTXukG5tpixoCaR7cBN2Cidthz JM0CZ_qakhB9oI3Rt1T_GcGlyAfX6C78Z4iCg7e337V7028FTDww30xcQlgS YRVkFNh2isvatlIHG1RwgXFdVYgVL1aa2CnsSEMK7THgKEpMTA4S2hCnTe9f SizIB4Dpe.0aP4IeEreBBZPnUca4taUWs3gm3mfjLunCzgKzchrVzyLtCQC2 x9NcxNjitbiVRstk1azVJd4ch9QzrFimaGXs0Bih34OCAuk529mtHmSOfCoR xCTziQr1yPt9XzdnA4Q0Y4V0BxVRhh2nKuk208IFTlQoX9xvUCIARt5ib5Lx qwm8xU.5Y64R4ZIq4Vmc12sNfxaZ3.WjMY8vn
Received: from [] by via HTTP; Tue, 29 Nov 2011 12:59:09 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/
References: <> <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
Message-ID: <>
Date: Tue, 29 Nov 2011 12:59:09 -0800
From: William Mills <>
To: Brian Hawkins <>, "" <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-611104942-1322600349=:22998"
Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Nov 2011 20:59:17 -0000

This isn't really OAuth, this is a trust relationship between A and B.  OAuth is providing an avenue for the user to approve access because the user owns the resource.  That's why this doesn't really fit what you are trying to do.

You could use MAC signatures to secure the transactions with a shared secret, sure.  Just decide on a single (or pair) of secrest to use in all cases one for the client and one for the "user" secret, which isn't really a user secret, it's your global shared secret.


 From: Brian Hawkins <>
To: "" <> 
Sent: Tuesday, November 29, 2011 12:27 PM
Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0

Maybe I'm making this harder then it should be.  

Here is the situation:  Site A and B both trust each other.  Site A needs to update user information at site B.

With OAuth 1.0 Site A would use it's consumer key and secret to sign the update call to Site B (no access token involved).  Only one message is sent.

The closest I can come to the above with OAuth 2.0 is to use the MAC token scheme and sign the request with the consumer secret.  Is that valid?  I kind of get the idea that the protocol doesn't care.

It feels like the bearer scheme just doesn't work for what I'm trying to do.



On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav <> wrote:

This functionality can be implemented in two main ways:
>1.       Using the client credentials flow to get an access token, then using the protocol as usual
>2.       Just using the Bearer (over SSL) or MAC token schemes without the rest of OAuth
> [] On Behalf Of Brian Hawkins
>Sent: Tuesday, November 29, 2011 11:49 AM
>Subject: [OAUTH-WG] 2 Leg with OAuth 2.0
>I'm having trouble finding information on how to do 2leg authentication with OAuth 2.0.  Does it even support it?

OAuth mailing list