Re: [OAUTH-WG] consistency of token param name in bearer token type
Eran Hammer-Lahav <eran@hueniverse.com> Wed, 15 June 2011 17:39 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83CDE21F85F2 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 10:39:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e71hIRSdhmYj for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 10:38:59 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 448AC21F85F8 for <oauth@ietf.org>; Wed, 15 Jun 2011 10:38:59 -0700 (PDT)
Received: (qmail 7548 invoked from network); 15 Jun 2011 17:38:57 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Jun 2011 17:38:56 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Wed, 15 Jun 2011 10:38:46 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Mike Jones <Michael.Jones@microsoft.com>, David Recordon <recordond@gmail.com>, George Fletcher <gffletch@aol.com>
Date: Wed, 15 Jun 2011 10:38:26 -0700
Thread-Topic: [OAUTH-WG] consistency of token param name in bearer token type
Thread-Index: AQHMEGLvUtk/Y41LJU+xw7NH/M+2opSa0CjQgAgtbYCABOk9gIAAwn+AgABmmeCAFdUR4A==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234475E986B03@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <BANLkTim1VRggQ8W-7WHVcXboOaPr-RcN_A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943380F6A46@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTimQkzW7r-GV7cu67W4Doo7q9JZLnw@mail.gmail.com> <4DE541B5.6080605@aol.com> <BANLkTikMp-=EO9jwdyGFm8=COr_MsSEjbw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739433810E906@TK5EX14MBXC203.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739433810E906@TK5EX14MBXC203.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: paul Tarjan <paul.tarjan@fb.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] consistency of token param name in bearer token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 17:39:00 -0000
It should be pretty easy :-) Anyone objects to changing the parameter name from 'bearer_token' to 'access_token'? Let Mike know by 6/20 or he will make the change. EHL > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Mike Jones > Sent: Wednesday, June 01, 2011 1:15 PM > To: David Recordon; George Fletcher > Cc: paul Tarjan; oauth@ietf.org > Subject: Re: [OAUTH-WG] consistency of token param name in bearer token > type > > If you can drive a consensus decision for the name "access_token", I'd be > glad to change the name in the spec. I agree that the current names are > confusing for developers. > > -- Mike > > -----Original Message----- > From: David Recordon [mailto:recordond@gmail.com] > Sent: Wednesday, June 01, 2011 12:06 AM > To: George Fletcher > Cc: Mike Jones; Doug Tangren; oauth@ietf.org; paul Tarjan > Subject: Re: [OAUTH-WG] consistency of token param name in bearer token > type > > Yeah, can understand how we got here. Just found it quite confusing when > reading these two specifications together with an implementor's hat on. > > On Tue, May 31, 2011 at 12:29 PM, George Fletcher <gffletch@aol.com> > wrote: > > Brief pointer to the "history" of this change. This change was adopted > > in draft 4 of the bearer spec as there were concerns with the previous > > parameter name of 'oauth_token'. The suggestion was made to use > > 'bearer_token' so that it matches the scheme used in the Authorization > > header. The thinking being that reading the bearer token spec would > > seem weird if the Authorization header used one name and the GET/POST > > methods used a different name. > > > > The 'bearer_token' name got a few +1 and no dissents. > > > > Full thread starts here [1]. Mike accepting the 'bearer_token' > > recommendation is here [2]. > > > > Thanks, > > George > > > > [1] http://www.ietf.org/mail-archive/web/oauth/current/msg05497.html > > [2] http://www.ietf.org/mail-archive/web/oauth/current/msg05881.html > > > > On 5/28/11 12:30 PM, David Recordon wrote: > > > > Did a full read through of draft 16 and the bear token spec with Paul > > yesterday afternoon in order to do a manual diff from draft 10. The > > point Doug raised was actually confusing. Throughout the core spec > > it's referred to as access_token but then becomes bearer_token upon > > use. > > > > Just thinking through this from a developer documentation perspective, > > it's going to become confusing. Developer documentation focuses on > > getting an access token and then using that access token to interact > > with an API. Thus the code you're writing as a client developer will > > use variables, cache keys, and database columns named `access_token`. > > But then when you're going to use it, you'll need to put this access > > token into a field named bearer_token. > > > > Feels quite a bit simpler to just name it access_token. Realize the > > core spec never did this since we didn't want to trample on protected > > resources which might already have a different type of access_token > > parameter. oauth_token was a good compromise since developers would > > already know that they were using OAuth and thus a new term wasn't > > being introduced. That's no longer true with bearer_token since 99% of > > developers will have never heard of a bearer token. > > > > Googling for "bearer token" turns up Eran's blog post titled "OAuth > > Bearer Tokens are a Terrible Idea" and there isn't a single result on > > the first page which explains what they are. Binging for "bearer > > token" is equally scary. > > > > --David > > > > > > On Mon, May 23, 2011 at 11:38 AM, Mike Jones > > <Michael.Jones@microsoft.com> wrote: > > > > The working group explicitly decided that a different name should be > > used, to make it clear that other token types other than bearer tokens > > could also be used with OAuth 2. > > > > > > > > -- Mike > > > > > > > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > > Of Doug Tangren > > Sent: Wednesday, May 11, 2011 10:09 PM > > To: oauth@ietf.org > > Subject: [OAUTH-WG] consistency of token param name in bearer token > > type > > > > > > > > This may have come up before so I'm sorry if I'm repeating. Why does > > bearer token spec introduce a new name for oauth2 access tokens [1], > > "bearer_token", and before that [2], "oauth_token"? > > > > > > > > I apologize if this may sound shallow but, why introduce a new > > parameter name verses sticking with what the general oauth2 spec > > already defines, "access_token". It seems arbitrary for an auth server > > to hand a client an apple then have the client hand it off to the > > resource server and call it an orange. > > > > > > > > Was this just for the sake of differentiating the parameter name > > enough so that the bearer tokens may be used in other protocols > > without being confused with oauth2 access_tokens? > > > > > > > > [1]: > > http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04#section-2.2 > > > > [2]: > > http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-03#section-2.2 > > > > > > > > -Doug Tangren > > http://lessis.me > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > -- > > Chief Architect AIM: gffletch > > Identity Services Engineering Work: george.fletcher@teamaol.com > > AOL Inc. Home: gffletch@aol.com > > Mobile: +1-703-462-3494 Blog: http://practicalid.blogspot.com > > Office: +1-703-265-2544 Twitter: http://twitter.com/gffletch > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] consistency of token param name in bea… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Stephen Farrell
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… John Bradley
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… Lodderstedt, Torsten
- Re: [OAUTH-WG] consistency of token param name in… KIHARA, Boku
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Torsten Lodderstedt
- Re: [OAUTH-WG] consistency of token param name in… Manger, James H