IETF Logo Mail Archive

[OAUTH-WG] [oauth] #5: Separate scheme names for bearer tokens, request signing, and delegation

"oauth issue tracker" <trac@tools.ietf.org> Sat, 15 May 2010 01:40 UTC

Return-Path: <trac@tools.ietf.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDC093A67FC for <oauth@core3.amsl.com>; Fri, 14 May 2010 18:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.071
X-Spam-Level:
X-Spam-Status: No, score=-101.071 tagged_above=-999 required=5 tests=[AWL=-1.071, BAYES_50=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UF6Medm0EP5 for <oauth@core3.amsl.com>; Fri, 14 May 2010 18:40:38 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id 553623A6802 for <oauth@ietf.org>; Fri, 14 May 2010 18:40:37 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.71) (envelope-from <trac@tools.ietf.org>) id 1OD6Md-0000ZP-Ex; Fri, 14 May 2010 18:40:27 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: oauth issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: james@manger.com.au
X-Trac-Project: oauth
Date: Sat, 15 May 2010 01:40:27 -0000
X-URL: http://tools.ietf.org/oauth/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/oauth/trac/ticket/5
Message-ID: <059.db44ca9c6a99be8265550c67a11484c4@tools.ietf.org>
X-Trac-Ticket-ID: 5
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: james@manger.com.au, oauth@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: oauth@ietf.org
Subject: [OAUTH-WG] [oauth] #5: Separate scheme names for bearer tokens, request signing, and delegation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 May 2010 01:40:41 -0000

#5: Separate scheme names for bearer tokens, request signing, and delegation
---------------------------------+------------------------------------------
 Reporter:  james@…              |       Owner:     
     Type:  defect               |      Status:  new
 Priority:  major                |   Milestone:     
Component:  authentication       |     Version:  2.0
 Severity:  -                    |    Keywords:     
---------------------------------+------------------------------------------
 The same HTTP authentication scheme name "Token" is overloaded with 3 (or
 4) distinct roles. This hinders the use of auth schemes names by client
 apps to choose how to authenticate to a server. It doesn't match existing
 usage of auth scheme names.

 A server should be able to indicate that a resource can be accessed:
 1. When the request is signed (MACed) with a shared secret key;
 2. When user consent has been obtained (at a given user-uri);
 3. When a client credential has been swapped for a token (at a given
 token-uri);
 4. When the request is accompanied by an authorization token.

 These indications should be independent.
 Because "Token" is overloaded, a "WWW-Authenticate: Token ..." HTTP header
 can only indicate all of these together.

 Suggested solution: use at least 3 different names in the various places
 "Token" is currently used -- perhaps "MAC", "Delegate" (or "OAuth"), and
 "Token".

-- 
Ticket URL: <http://trac.tools.ietf.org/wg/oauth/trac/ticket/5>
oauth <http://tools.ietf.org/oauth/>

v2.23.0 | Report a Bug | By Email