Return-Path: X-Original-To: oauth@core3.amsl.com Delivered-To: oauth@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A0ED3A67EF for ; Wed, 23 Jun 2010 11:04:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.219 X-Spam-Level: X-Spam-Status: No, score=-2.219 tagged_above=-999 required=5 tests=[AWL=0.379, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ibt+C6iIDCEc for ; Wed, 23 Jun 2010 11:03:54 -0700 (PDT) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id AA1E228C131 for ; Wed, 23 Jun 2010 11:03:54 -0700 (PDT) Received: (qmail 27364 invoked from network); 23 Jun 2010 18:04:01 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 23 Jun 2010 18:03:59 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 23 Jun 2010 11:03:54 -0700 From: Eran Hammer-Lahav To: Yaron Goland , James Manger , OAuth WG Date: Wed, 23 Jun 2010 11:03:48 -0700 Thread-Topic: OAuth discovery draft? Thread-Index: AQHLEbd88ANnc80E8EanM4mdFaHtZpKN3qcAgAH2zrCAAAP3tQ== Message-ID: In-Reply-To: <7C01E631FF4B654FA1E783F1C0265F8C579C6DC3@TK5EX14MBXC117.redmond.corp.microsoft.com> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_C8479A94363F3eranhueniversecom_" MIME-Version: 1.0 Subject: Re: [OAUTH-WG] OAuth discovery draft? X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 18:04:00 -0000 --_000_C8479A94363F3eranhueniversecom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I think the core work is pretty stable now, unlike the discovery bits which= (while simple) are not enjoying the same level of consensus. I think it is= much more practical to propose them as a separate document and perhaps con= sider merging them later on when they reach an equal level of stability. Bu= t overall, I'm not too worries about multiple documents. EHL On 6/23/10 11:00 AM, "Yaron Goland" wrote: I've been noodling [1] a lot about full delegation in OAuth [2] and one of = the issues that came out of that was the need for discovering both the loca= tion and realm of an endpoint's token server. But at least for my use cases= (which consist of walking up to a service and making an options request an= d getting back a www-authenticate header) all I need back is a realm and a = token server URL. In other words just having one argument added to our www-= authenticate header would be enough to solve the case where someone wants t= o walk up to a service and find out where its token server is. Does that re= ally need its own spec? Or can we just add an argument to www-authenticate = in the current spec? Thanks, Yaron [1] See http://www.goland.org/oauthgenericdelegation/ for an overview of my= thinking on full delegation in OAuth. At the very end are links to a bunch= of other much more in-depth articles on particular subjects touched on in = the main article. [2] I define 'full delegation' as "User X of Service Y grants permission Z = to User A of Service B". Currently OAuth requires X =3D=3D A. In the future= I hope to see extensions to OAuth that enable what I'm terming 'full deleg= ation'. But personally I'm really happy that OAuth has the X=3D=3DA restric= tion. It simplifies a whole host of issues and satisfies a really important= use case. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Monday, June 21, 2010 9:50 PM > To: Manger, James H; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] OAuth discovery draft? > > Yes, it's on my desk and not yet ready, but I am working on one. It inclu= des > your sites proposal among other things. I am trying to get the core spec > stable this week and focus on that next. > > EHL > > > -----Original Message----- > > From: Manger, James H [mailto:James.H.Manger@team.telstra.com] > > Sent: Monday, June 21, 2010 8:03 PM > > To: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > > Subject: OAuth discovery draft? > > > > Eran, > > > > There have been a few mentions recently of an OAuth discovery draft. > > Is there any such draft yet, or is this just a part that we know needs > > to be done? > > > > The email on "OAuth meeting notes on -05 (with updates)" said: > > > > >> 6.1.1. - describing the WWW-Authenticate response header > > >> > > >> - Discovery needed for various elements > > > > > > Yes. That's for the discovery draft. > > > > > > A wiki page on "Future OpenID Technical Requirements" > > says: > > > > > 6) IdP Discovery > > > > > > * Much of this will be covered by OAuth2 Discovery, > > > however OIC may need to define OpenID specific features. > > >... > > > 17) Simpler discovery > > > > > > * See Eran's OAuth Discovery proposal > > > > > > There was an OAuth 1.0 Discovery draft over 2 years ago, but that is ta= gged: > > "expired", "marked as obsolete by its author", "discouraged from > > implementing", "no update is expected", "replaced by the OAuth 2.0 > effort". > > > > I know I should write a discovery draft myself. > > > > -- > > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth --_000_C8479A94363F3eranhueniversecom_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Re: OAuth discovery draft? I think the core work is pretty stable now, unlike the discovery bits= which (while simple) are not enjoying the same level of consensus. I think= it is much more practical to propose them as a separate document and perha= ps consider merging them later on when they reach an equal level of stabili= ty. But overall, I’m not too worries about multiple documents.

EHL


On 6/23/10 11:00 AM, "Yaron Goland" <yarong@microsoft.com> wrote:

I've been noodling [1] a lot about full del= egation in OAuth [2] and one of the issues that came out of that was the ne= ed for discovering both the location and realm of an endpoint's token serve= r. But at least for my use cases (which consist of walking up to a service = and making an options request and getting back a www-authenticate header) a= ll I need back is a realm and a token server URL. In other words just havin= g one argument added to our www-authenticate header would be enough to solv= e the case where someone wants to walk up to a service and find out where i= ts token server is. Does that really need its own spec? Or can we just add = an argument to www-authenticate in the current spec?
        Thanks,
            &nb= sp;   Yaron

[1] See http://ww= w.goland.org/oauthgenericdelegation/ for an overview of my thinking on = full delegation in OAuth. At the very end are links to a bunch of other muc= h more in-depth articles on particular subjects touched on in the main arti= cle.

[2] I define 'full delegation' as "User X of Service Y grants permissi= on Z to User A of Service B". Currently OAuth requires X =3D=3D A. In = the future I hope to see extensions to OAuth that enable what I'm terming '= full delegation'. But personally I'm really happy that OAuth has the X=3D= =3DA restriction. It simplifies a whole host of issues and satisfies a real= ly important use case.

> -----Original Message-----
> From: oauth-bounces@ietf.org [<= a href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org]= On Behalf
> Of Eran Hammer-Lahav
> Sent: Monday, June 21, 2010 9:50 PM
> To: Manger, James H; OAuth WG (oauth@ietf.o= rg)
> Subject: Re: [OAUTH-WG] OAuth discovery draft?
>
> Yes, it's on my desk and not yet ready, but I am working on one. It in= cludes
> your sites proposal among other things. I am trying to get the core sp= ec
> stable this week and focus on that next.
>
> EHL
>
> > -----Original Message-----
> > From: Manger, James H [mailto:James.H.Manger@team.telstra.com]
> > Sent: Monday, June 21, 2010 8:03 PM
> > To: Eran Hammer-Lahav; OAuth WG (oauth= @ietf.org)
> > Subject: OAuth discovery draft?
> >
> > Eran,
> >
> > There have been a few mentions recently of an OAuth discovery dra= ft.
> > Is there any such draft yet, or is this just a part that we know = needs
> > to be done?
> >
> > The email on "OAuth meeting notes on -05 (with updates)"= ; said:
> >
> > >> 6.1.1. - describing the WWW-Authenticate response header=
> > >>
> > >> - Discovery needed for various elements
> > >
> > > Yes. That's for the discovery draft.
> >
> >
> > A wiki page on "Future OpenID Technical Requirements" > > <http://wiki.openid.net/Future-OpenID-Technical-Requirements&= gt; says:
> >
> > > 6) IdP Discovery
> > >
> > >    * Much of this will be covered by OAuth2 D= iscovery,
> > >      however OIC may need to define= OpenID specific features.
> > >…
> > > 17) Simpler discovery
> > >
> > >    * See Eran's OAuth Discovery proposal
> >
> >
> > There was an OAuth 1.0 Discovery draft over 2 years ago, but that= is tagged:
> > "expired", "marked as obsolete by its author"= , "discouraged from
> > implementing", "no update is expected", "repl= aced by the OAuth 2.0
> effort".
> >
> > I know I should write a discovery draft myself.
> >
> > --
> > James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ie= tf.org/mailman/listinfo/oauth

--_000_C8479A94363F3eranhueniversecom_--