IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header

Luke Shepard <lshepard@facebook.com> Thu, 15 July 2010 18:24 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B9193A69F5 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cbPUm19MSlsn for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:24:10 -0700 (PDT)
Received: from mx-out.facebook.com (outmail023.snc1.tfbnw.net [69.63.178.182]) by core3.amsl.com (Postfix) with ESMTP id 723F83A6902 for <oauth@ietf.org>; Thu, 15 Jul 2010 11:24:10 -0700 (PDT)
Received: from [10.18.255.121] ([10.18.255.121:10743] helo=mail.thefacebook.com) by mta004.snc1.facebook.com (envelope-from <lshepard@facebook.com>) (ecelerity 2.2.2.45 r(34067)) with ESMTP id A0/37-15591-5525F3C4; Thu, 15 Jul 2010 11:24:21 -0700
Received: from SC-MBX06.TheFacebook.com ([169.254.5.94]) by sc-hub04.TheFacebook.com ([fe80::8df5:7f90:d4a0:bb9%11]) with mapi; Thu, 15 Jul 2010 11:24:20 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
Thread-Index: AQHLI+AFCubwzq32zUudFjbZypq1V5Kyij6AgAAlSQCAAAb8AIAAA8yAgAAJKwA=
Date: Thu, 15 Jul 2010 18:24:20 +0000
Message-ID: <74AEEFD7-04B3-4B28-970E-0DB554728BED@facebook.com>
References: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com> <1279205969.18579.55.camel@localhost.localdomain> <AANLkTildz62l2Me26Dlrv5nNmp8Z3P8JD1K-ChcWc5IO@mail.gmail.com> <AANLkTill8k-fUFt-IZLWdZinScj4fSBoI4rAiAf1PrYR@mail.gmail.com> <1279216291.18579.61.camel@localhost.localdomain>
In-Reply-To: <1279216291.18579.61.camel@localhost.localdomain>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <50622063-b812-4985-8964-df3482cc153b>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 18:24:11 -0000

On Jul 15, 2010, at 10:51 AM, Justin Richer wrote:

> It was discussed before, but I don't remember there being any consensus
> in the group. What are the practical reasons for not using "oauth2"
> namespacing in the one place we still use namespacing? Most of what I've
> heard seems to sound like "I don't like it to have a 2 on it". 

I don't like it to have a 2 in it.

> I don't want to have to set up the OAuth 2 system to have to catch
> failed cases of the OAuth 1 protocol. A good OAuth 2 call and a bad
> OAuth 1 call should be distinguishable from the start. Also, what about
> when we finally get a signed-request going? I would assume that that's
> going to add back in things like oauth_signature, oauth_nonce, and the
> other parameters whose absence you should filter on. 

The latest signature discussions have all focused on a single, self-contained, signed parameter that includes both data and signature. I think it's unlikely that we will introduce the plethora of parameters that we had in OAuth 1.0.

> -- Justin
> 
> On Thu, 2010-07-15 at 13:37 -0400, David Recordon wrote:
>> I thought this topic had been beaten to death before. An OAuth 1.0
>> protected resource request includes a variety of oauth_ parameters
>> whereas OAuth 2.0 just has oauth_token.
>> 
>> 
>> --David
>> 
>> 
>> On Thu, Jul 15, 2010 at 10:12 AM, Brian Eaton <beaton@google.com>
>> wrote:
>>        On Thu, Jul 15, 2010 at 7:59 AM, Justin Richer
>>        <jricher@mitre.org> wrote:
>>> +1 on OAuth2 header, and I also want to see oauth2_token in
>>        URI and form
>>> parameter methods.
>> 
>> 
>>        Good point about the query parameter names needing to be
>>        unambiguous.
>> 
>>        _______________________________________________
>>        OAuth mailing list
>>        OAuth@ietf.org
>>        https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.37.1 | Report a Bug | By Email | System Status