[OAUTH-WG] OAuth 2.0 Bearer Token Specification draft -02
Mike Jones <Michael.Jones@microsoft.com> Fri, 28 January 2011 21:33 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A62933A68A7 for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 13:33:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.589
X-Spam-Level:
X-Spam-Status: No, score=-10.589 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 799d8gARxOsG for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 13:33:10 -0800 (PST)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 7DAF43A6876 for <oauth@ietf.org>; Fri, 28 Jan 2011 13:33:10 -0800 (PST)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 28 Jan 2011 13:36:17 -0800
Received: from TK5EX14MBXC202.redmond.corp.microsoft.com ([169.254.2.150]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.01.0270.002; Fri, 28 Jan 2011 13:36:17 -0800
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth 2.0 Bearer Token Specification draft -02
Thread-Index: Acu/M2Nlc5Ah9YfFTfu+PALXm4nBEQ==
Date: Fri, 28 Jan 2011 21:36:16 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943246FD307@TK5EX14MBXC202.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.79]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943246FD307TK5EX14MBXC202r_"
MIME-Version: 1.0
Subject: [OAUTH-WG] OAuth 2.0 Bearer Token Specification draft -02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 21:33:15 -0000
I've published draft 02 of the bearer token specification. This incorporates consensus feedback received to date. It contains no normative changes relative to draft 01. Your feedback is solicited. Specific changes were: * Changed terminology from "token reuse" to "token capture and replay". * Removed sentence "Encrypting the token contents is another alternative" from the security considerations since it was redundant and potentially confusing. * Corrected some references to "resource server" to be "authorization server" in the security considerations. * Generalized security considerations language about obtaining consent of the resource owner. * Broadened scope of security considerations description for recommendation "Don't pass bearer tokens in page URLs". * Removed unused reference to OAuth 1.0. * Updated reference to framework specification and updated David Recordon's e-mail address. * Removed security considerations text on authenticating clients. * Registered the "OAuth2" OAuth access token type and "oauth_token" parameter. The draft is available at these locations: * http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-02.txt * http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-02.xml * http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-02.html * http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-02.txt * http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-02.xml * http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion repository, with html, txt, and html versions available) This version is explicitly not ready for working group last call, as changes may need to be made due to the open issues in the framework spec about the removal of the Client Assertion Credentials and OAuth2 HTTP Authentication Scheme. -- Mike
- [OAUTH-WG] OAuth 2.0 Bearer Token Specification d… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… William Mills
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… William Mills
- Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specificati… Skylar Woodward