Re: [OAUTH-WG] OAuth Parameter Registration Template
Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 24 June 2012 16:41 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB1621F85D5 for <oauth@ietfa.amsl.com>; Sun, 24 Jun 2012 09:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.569
X-Spam-Level:
X-Spam-Status: No, score=-102.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WA95LmuBOuGe for <oauth@ietfa.amsl.com>; Sun, 24 Jun 2012 09:41:26 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 370F521F85D3 for <oauth@ietf.org>; Sun, 24 Jun 2012 09:41:23 -0700 (PDT)
Received: (qmail invoked by alias); 24 Jun 2012 16:41:22 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.109]) [88.115.216.191] by mail.gmx.net (mp028) with SMTP; 24 Jun 2012 18:41:22 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19JGtdpOWJJymNn9apfg9HKNAD8aKfVvAaq3LXujv jZRF/M/aKrnGHu
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <0CBAEB56DDB3A140BA8E8C124C04ECA20107EC1F@P3PWEX2MB008.ex2.secureserver.net>
Date: Sun, 24 Jun 2012 19:41:20 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <BC5E64AD-F504-47FC-A3EA-8C1C0A5DD64B@gmx.net>
References: <4F1F7754-CF91-4C07-A4B6-20AB94C2E2B2@gmx.net> <0CBAEB56DDB3A140BA8E8C124C04ECA20107EC1F@P3PWEX2MB008.ex2.secureserver.net>
To: Eran Hammer <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Parameter Registration Template
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jun 2012 16:41:26 -0000
Hi Eran, On Jun 24, 2012, at 4:34 PM, Eran Hammer wrote: > It is pretty obvious these refer to the two well defined endpoints in section 3. True. The first few paragraphs of Section 3 lists the available end points. Btw, the section headings are a bit strange: 3. Protocol Endpoints 3.1 Authorization Endpoint 3.2 Token Endpoint 3.3 Access Token Scope > I will add a reference next to the locations to make this even clearer. > Thanks. Maybe you want to add that this specification only defines these usage locations for parameter (based on the defined endpoints) and other documents may define new end points and extend the list of possible parameter usage locations. > There is no such endpoint as client authentication as a location. Notice that. > OAuth core clearly defines three endpoints for which two are extensible via regisration. Anything else is out of scope. While the specification says that you can define new endpoints it may be useful to link that statement with the usage location for the parameters. > > No other changes are needed or appropriate. > Ciao Hannes > EH > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Hannes Tschofenig >> Sent: Sunday, June 24, 2012 6:18 AM >> To: OAuth WG >> Subject: [OAUTH-WG] OAuth Parameter Registration Template >> >> Hi all, >> >> working on the proposed text for the OAuth assertions draft I noticed an >> interesting aspect in the core specification regarding Section 11.2.1, which >> defines the registration template for OAuth parameters. >> >> The template lists all possible usage locations of parameters, namely >> authorization request, authorization response, token request, or token >> response. >> >> Here is the first issue: these locations are not defined anywhere in the >> document and so one can only guess to what part of the protocol exchange >> they belong. >> >> I agree that it may not be very difficult to guess but obviously it is not >> completely obvious. It would have been nice if there is actually a match with >> Figure 1, for example. >> >> http://tools.ietf.org/html/draft-ietf-oauth-assertions-03, for example, uses a >> location that is not in the above list, namely 'client authentication'. >> >> Client authentication can also happen in the interaction between the client >> and the resource server but the exchanges are not part of the allowed list of >> usage locations. >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Parameter Registration Template Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Parameter Registration Templ… Eran Hammer
- Re: [OAUTH-WG] OAuth Parameter Registration Templ… Brian Campbell
- Re: [OAUTH-WG] OAuth Parameter Registration Templ… Hannes Tschofenig