IETF Logo Mail Archive

Re: [OAUTH-WG] Clarification: Authorization scheme :: Token vs OAuth

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 19 April 2010 21:31 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFF8D3A6ABB for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 14:31:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.474
X-Spam-Level:
X-Spam-Status: No, score=-2.474 tagged_above=-999 required=5 tests=[AWL=0.125, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bz4VPZcl883c for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 14:31:49 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id CD57C3A6937 for <oauth@ietf.org>; Mon, 19 Apr 2010 14:31:49 -0700 (PDT)
Received: (qmail 27380 invoked from network); 19 Apr 2010 21:31:41 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Apr 2010 21:31:40 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Mon, 19 Apr 2010 14:31:40 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 19 Apr 2010 14:31:45 -0700
Thread-Topic: [OAUTH-WG] Clarification: Authorization scheme :: Token vs OAuth
Thread-Index: AcrgBEEWzqeEMeGZQOKPNbCKNHkPawAAqSRw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F2D2@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <9CEC5DA2-6D5F-4CDB-80CD-D24F80E19969@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A3796@P3PW5EX1MB01.EX1.SECURESERVER.NET> <s2t74caaad21004191006rb29139f6lc9082b6b94afbec9@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F16D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <u2x74caaad21004191406g4558df0arcf3b9e3ba04ce8e7@mail.gmail.com>
In-Reply-To: <u2x74caaad21004191406g4558df0arcf3b9e3ba04ce8e7@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Clarification: Authorization scheme :: Token vs OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 21:31:51 -0000

> -----Original Message-----
> From: Marius Scurtescu [mailto:mscurtescu@google.com]
> Sent: Monday, April 19, 2010 2:07 PM
> To: Eran Hammer-Lahav
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Clarification: Authorization scheme :: Token vs
> OAuth
> 
> On Mon, Apr 19, 2010 at 11:06 AM, Eran Hammer-Lahav
> <eran@hueniverse.com> wrote:
> > Initially I don't think it is a problem because only OAuth 2 servers will use it.
> Later it becomes a question of discovery and what you do once you get such
> a challenge from a server you are unfamiliar with.
> 
> I think that many protected resource that will support OAuth 2 will also
> support other protocols, at least OAuth 1.0.

Ok. Don't see how this is relevant. Each will use its own WWW-Authenticate header.

> > I proposed Token because it is in line with other HTTP authentication
> schemes: Basic and Digest.
> >
> > The name really doesn't matter that much, but I rather not use OAuth (to
> avoid the need to add oauth_version=2.0 to every header), and I rather not
> use a version number in the scheme name. If you don't like Token, feel free
> to suggest something else. I think it is very accurate to what is being done.
> 
> Being so generic at some point it may require a parameter to tell what type
> of token is this. At that point I think that OAuth with a version or OAuth2 is
> better.

Same is true if we call it OAuth and someone will try to use it for something else. The exact thing happened with 1.0 with the so-called 2-legged use case. It had nothing to do with the original use case of the spec, but people found it very useful. At some point you have to use some form of discovery.

> > Also keep in mind that there are going to be other flows issuing tokens, and
> we already have both delegation and autonomous flows using the same
> scheme. So calling it OAuth doesn't really tell much more than Token. If I use
> a new flow to get a token, it doesn't really matter what happens as long as I
> end up with a token (with or without a secret).
> 
> True, but I don't think we are trying to solve token based authentication in
> general.

Actually, we are chartered to do just that [1]:

"The Working Group will also define a generally applicable HTTP authentication mechanism (i.e., browser-based "2-leg" scenerio)."

We can define an OAuth scheme and then another Token scheme. I just don't see the point.

EHL

[1] http://datatracker.ietf.org/wg/oauth/charter/

v2.23.0 | Report a Bug | By Email