Re: [OAUTH-WG] OAuth 1 Bridge Flow
Allen Tom <atom@yahoo-inc.com> Tue, 04 May 2010 23:29 UTC
Return-Path: <atom@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3EAD3A6857 for <oauth@core3.amsl.com>; Tue, 4 May 2010 16:29:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.822
X-Spam-Level:
X-Spam-Status: No, score=-14.822 tagged_above=-999 required=5 tests=[AWL=-0.157, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDL-72PT9rNg for <oauth@core3.amsl.com>; Tue, 4 May 2010 16:29:42 -0700 (PDT)
Received: from mrout2-b.corp.re1.yahoo.com (mrout2-b.corp.re1.yahoo.com [69.147.107.21]) by core3.amsl.com (Postfix) with ESMTP id 77C9228C332 for <oauth@ietf.org>; Tue, 4 May 2010 16:05:59 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout2-b.corp.re1.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o44N50On075498; Tue, 4 May 2010 16:05:04 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:user-agent:date:subject:from:to:message-id: thread-topic:thread-index:in-reply-to:mime-version:content-type: content-transfer-encoding:x-originalarrivaltime; b=fCMxfdd2r2knsh5uJoKCXaoGlAYk+ydaMY9AUoWrLujfCLFa9Ox0W1giztsugLHg
Received: from SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.235]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 4 May 2010 16:05:01 -0700
Received: from 10.72.244.69 ([10.72.244.69]) by SNV-EXVS03.ds.corp.yahoo.com ([207.126.227.239]) via Exchange Front-End Server snv-webmail.corp.yahoo.com ([207.126.227.59]) with Microsoft Exchange Server HTTP-DAV ; Tue, 4 May 2010 23:04:01 +0000
User-Agent: Microsoft-Entourage/12.24.0.100205
Date: Tue, 04 May 2010 16:03:58 -0700
From: Allen Tom <atom@yahoo-inc.com>
To: Justin Richer <jricher@mitre.org>, Marius Scurtescu <mscurtescu@google.com>, OAuth WG <oauth@ietf.org>
Message-ID: <C805F5EE.2DE86%atom@yahoo-inc.com>
Thread-Topic: [OAUTH-WG] OAuth 1 Bridge Flow
Thread-Index: Acrr3hO+SSKG8b2vd0mSA3+8duqBbg==
In-Reply-To: <1272998796.6288.55.camel@localhost.localdomain>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 04 May 2010 23:05:01.0652 (UTC) FILETIME=[39AF0940:01CAEBDE]
Subject: Re: [OAUTH-WG] OAuth 1 Bridge Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2010 23:29:44 -0000
Although we have not formally announced any plans to support OAuth2 yet, I would expect that Yahoo would be able to simultaneously support both Oauth 1.0a and OAuth2 without requiring clients to upgrade their existing Oauth 1.0a credentials for OAuth2. Note: Yahoo currently requires the Session Extension, so all of our Access Tokens are valid for one hour. The OAuth2 Refresh Token is equivalent to the Session Extension's "Auth Session Handle" Allen On 5/4/10 11:46 AM, "Justin Richer" <jricher@mitre.org> wrote: > Interesting work. So as each app upgrades its support from OAuth1 to > OAuth2, it exchanges its old tokens for new ones once for each user, > right? Then the app in question is effectively going to have to speak > both flavors of OAuth to do this one-time upgrade. I always assumed that > apps would just have to get new OAuth2 access tokens by going back to > the user (since tokens are cheap), but I can definitely see value in > there being a clean upgrade path, especially for wide deployments. > > Because the other side of things, what would it take an implementor to > have a backwards-compatible system? Since the OAuth2 protocol is by > design not backwards compatible (though the signature-based web flows > are all the same spirit as 1.0a, all the parameter names are different), > I'm thinking that one would need either parallel endpoints or a proxy of > some kind that works almost like that which was proposed here, but on an > ongoing basis. > > -- Justin > > On Tue, 2010-05-04 at 13:26 -0400, Marius Scurtescu wrote: >> Hi, >> >> I would like to suggest a flow, or endpoint, that is bridging OAuth 1 >> and OAuth 2. See the attachment. >> >> The OAuth 1 Bridge Flow basically defines an endpoint where you can >> place a signed OAuth 1 request and in response you receive a short >> lived OAuth 2.0 access token. This flow can be used by clients that >> have a long lived OAuth 1.0 access token and want to use a short lived >> OAuth 2.0 access token to access protected resources. >> >> Do you have a use case for a flow like this? If not exactly but close, >> how can the flow be improved to cover your use case as well? >> >> Feedback more than welcome. >> >> Thanks, >> Marius > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Justin Richer
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Allen Tom
- [OAUTH-WG] OAuth 1 Bridge Flow Marius Scurtescu
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Luke Shepard
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Marius Scurtescu
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Marius Scurtescu
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Foiles, Doug
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Luke Shepard
- Re: [OAUTH-WG] OAuth 1 Bridge Flow Luke Shepard