Re: [OAUTH-WG] Facebook, OAuth, and WRAP

John Panzer <jpanzer@google.com> Wed, 25 November 2009 06:16 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A41AB3A6A02 for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 22:16:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.775
X-Spam-Level:
X-Spam-Status: No, score=-105.775 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8i9eLReesNAB for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 22:16:00 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 58E1B3A69F8 for <oauth@ietf.org>; Tue, 24 Nov 2009 22:16:00 -0800 (PST)
Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65]) by smtp-out.google.com with ESMTP id nAP6FrXv018390 for <oauth@ietf.org>; Wed, 25 Nov 2009 06:15:54 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1259129754; bh=8eHuOaD7XF6r1fhExbmhc63kcGk=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=jS+iSqJ4ySKt8ggPlmNbFrICvFsqlWnVooCl7sYO9CAYEPLE+/whs7Uop7oL+2zPg 2soOy61aQvI5jhsgwqobg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=yTdIhOea0w05Y4IfHZWAkuhuoxRLoLGYxxYI80uqu51YhyKNzEfB+bc1FZ7Znb2rd pCLLI4KgrQCElLwVcaSSg==
Received: from pwj1 (pwj1.prod.google.com [10.241.219.65]) by wpaz1.hot.corp.google.com with ESMTP id nAP6FoDU009396 for <oauth@ietf.org>; Tue, 24 Nov 2009 22:15:51 -0800
Received: by pwj1 with SMTP id 1so4703182pwj.0 for <oauth@ietf.org>; Tue, 24 Nov 2009 22:15:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.187.20 with SMTP id k20mr14569218waf.213.1259129750172; Tue, 24 Nov 2009 22:15:50 -0800 (PST)
In-Reply-To: <a9d9121c0911241635p4f2cc394vefe350b2ce3daa22@mail.gmail.com>
References: <148C596691F29F4EA6968577BE2CDFAE06A1B9FE@SC-MBXC1.TheFacebook.com> <a9d9121c0911241635p4f2cc394vefe350b2ce3daa22@mail.gmail.com>
From: John Panzer <jpanzer@google.com>
Date: Tue, 24 Nov 2009 22:15:30 -0800
Message-ID: <cb5f7a380911242215x5d364b2fmc56a4aea19141dec@mail.gmail.com>
To: Mike Malone <mjmalone@gmail.com>
Content-Type: multipart/alternative; boundary=0016e64b1e047c364b04792bfd95
X-System-Of-Record: true
Cc: Naitik Shah <naitik@facebook.com>, Luke Shepard <lshepard@facebook.com>, Brent Goldman <brent@facebook.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Facebook, OAuth, and WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 06:16:01 -0000

On Tue, Nov 24, 2009 at 4:35 PM, Mike Malone <mjmalone@gmail.com> wrote:

> On Tue, Nov 24, 2009 at 10:57 AM, David Recordon
> <davidrecordon@facebook.com> wrote:
> >
> > The largest issue in Facebook moving to OAuth 1.0 (and yes, Eran's new
> RFC is awesome) is the increase in the number of HTTP requests that
> developers will need to make in comparison to our current authentication
> mechanism.
>
> The OAuth _flow_ (in a browser) requires a couple additional requests
> compared to Facebook Connect (in a browser). But Facebook Connect is
> really a different beast since it relies on the Browser and Javascript
> to magically set cookies cross domain and whatnot. I agree that it's
> non-trivial to extend OAuth to cover this use case (we've sort of done
> it at Six Apart and the flow is clunky and complicated). And even if
> you figure out how to make the flow work you can't really make
> requests purely on the client side without compromising your consumer
> secret.
>
> That said, as far as I can tell, using OAuth for delegated
> communication via an intermediary (a web app or iPhone app, for
> example) should be doable for Facebook. The only real differences I
> see between OAuth and WRAP for this use case are:
>  * WRAP requires SSL instead of signing URLs
>

Aside: If an SP specified OAuth PLAINTEXT signature mode, and used https:
URLs for its API, would there be any effective difference between OAuth and
WRAP for that SP?  (Best as I can tell the only difference would be a
mandated %26 character in the OAuth blob you pass in to get access, but I
may be missing something.)