IETF Logo Mail Archive

Re: [OAUTH-WG] Clarification: Authorization scheme :: Token vs OAuth

Marius Scurtescu <mscurtescu@google.com> Mon, 19 April 2010 21:07 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D47A93A67BD for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 14:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.789
X-Spam-Level:
X-Spam-Status: No, score=-101.789 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xikuSWYlB7yq for <oauth@core3.amsl.com>; Mon, 19 Apr 2010 14:07:04 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 33B293A691D for <oauth@ietf.org>; Mon, 19 Apr 2010 14:07:04 -0700 (PDT)
Received: from wpaz17.hot.corp.google.com (wpaz17.hot.corp.google.com [172.24.198.81]) by smtp-out.google.com with ESMTP id o3JL6s3m019157 for <oauth@ietf.org>; Mon, 19 Apr 2010 23:06:54 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271711214; bh=7DtSGiKQkiTUM6fL4K7b5v7brKI=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=IQrG8H0LDhvWbeFrJ2lrJsWh6fZATPQOPsmf4viG+8UtmWIcMkIda6qbwsOCM+Ng0 QzThks3A1Uk60DvvkCbIA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=kMX0CggZArj2Y016PY3ymxAA4anvLHHBsLBphP4ZQrjV4lgLXB5xAXvzY5MwKCQrW TXfD8A7IxWS2Du/yIvMkg==
Received: from pvg4 (pvg4.prod.google.com [10.241.210.132]) by wpaz17.hot.corp.google.com with ESMTP id o3JL6qdm019163 for <oauth@ietf.org>; Mon, 19 Apr 2010 14:06:53 -0700
Received: by pvg4 with SMTP id 4so2938527pvg.9 for <oauth@ietf.org>; Mon, 19 Apr 2010 14:06:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.107.2 with HTTP; Mon, 19 Apr 2010 14:06:32 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F16D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <9CEC5DA2-6D5F-4CDB-80CD-D24F80E19969@gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E30A3796@P3PW5EX1MB01.EX1.SECURESERVER.NET> <s2t74caaad21004191006rb29139f6lc9082b6b94afbec9@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F16D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 19 Apr 2010 14:06:32 -0700
Received: by 10.141.214.6 with SMTP id r6mr4902560rvq.138.1271711212365; Mon, 19 Apr 2010 14:06:52 -0700 (PDT)
Message-ID: <u2x74caaad21004191406g4558df0arcf3b9e3ba04ce8e7@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Clarification: Authorization scheme :: Token vs OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 21:07:05 -0000

On Mon, Apr 19, 2010 at 11:06 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> Initially I don't think it is a problem because only OAuth 2 servers will use it. Later it becomes a question of discovery and what you do once you get such a challenge from a server you are unfamiliar with.

I think that many protected resource that will support OAuth 2 will
also support other protocols, at least OAuth 1.0.


> I proposed Token because it is in line with other HTTP authentication schemes: Basic and Digest.
>
> The name really doesn't matter that much, but I rather not use OAuth (to avoid the need to add oauth_version=2.0 to every header), and I rather not use a version number in the scheme name. If you don't like Token, feel free to suggest something else. I think it is very accurate to what is being done.

Being so generic at some point it may require a parameter to tell what
type of token is this. At that point I think that OAuth with a version
or OAuth2 is better.


> Also keep in mind that there are going to be other flows issuing tokens, and we already have both delegation and autonomous flows using the same scheme. So calling it OAuth doesn't really tell much more than Token. If I use a new flow to get a token, it doesn't really matter what happens as long as I end up with a token (with or without a secret).

True, but I don't think we are trying to solve token based
authentication in general.


Marius

>
> Does this make sense?
>
> EHL
>
>> -----Original Message-----
>> From: Marius Scurtescu [mailto:mscurtescu@google.com]
>> Sent: Monday, April 19, 2010 10:06 AM
>> To: Eran Hammer-Lahav
>> Cc: Dick Hardt; OAuth WG
>> Subject: Re: [OAUTH-WG] Clarification: Authorization scheme :: Token vs
>> OAuth
>>
>> Isn't "Token" as a scheme to generic/ambiguous?
>>
>> If a protected resource accepts several types of Authorization headers, how
>> can it be sure this is an OAuth 2.0 token and not some other kind?
>>
>> If adding a version parameter is too verbose, how about "OAuth2" as
>> scheme?
>>
>> Marius
>>
>>
>>
>> On Sun, Apr 18, 2010 at 10:05 PM, Eran Hammer-Lahav
>> <eran@hueniverse.com> wrote:
>> > Scheme is always case-insensitive per 2617.
>> >
>> >
>> >
>> > My reasons for using Token:
>> >
>> >
>> >
>> > 1. The scheme isn't specific to OAuth (which defines a model for
>> > obtaining tokens). It is a generic way to use tokens for
>> > authentication. Similar to how services use OAuth today for "2-legged"
>> > authentication (using the signature method without an access token at
>> > all), I expect services to use the Token scheme.
>> >
>> >
>> >
>> > 2. Doesn't conflict with OAuth 1.0, and doesn't require adding
>> > oauth_version=2.0 to every request. The fact that 1.0 used a parameter
>> > name prefix in the *header* was bad enough.
>> >
>> >
>> >
>> > That discussion did not reach any consensus so I used the last
>> > proposed text. If people have a problem with that I'll add it to the
>> > open issues list.
>> >
>> >
>> >
>> > EHL
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> > Of Dick Hardt
>> > Sent: Sunday, April 18, 2010 9:33 PM
>> > To: OAuth WG
>> > Subject: [OAUTH-WG] Clarification: Authorization scheme :: Token vs
>> > OAuth
>> >
>> >
>> >
>> > I recall some earlier discussion on calling the scheme Token vs OAuth
>> > and see that it is now Token per the example:
>> >
>> >
>> >
>> > Authorization: Token token="vF9dft4qmT"
>> >
>> >
>> >
>> > Would explain or point out the logic of using Token rather than OAuth?
>> >
>> >
>> >
>> > A related question: is the scheme case sensitive?
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>> >
>> >
>

v2.23.0 | Report a Bug | By Email