Re: [OAUTH-WG] Consistency in access token parameter
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 20 April 2010 17:12 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C6A63A68F8 for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 10:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.474
X-Spam-Level:
X-Spam-Status: No, score=-2.474 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lG23gcZLreuc for <oauth@core3.amsl.com>; Tue, 20 Apr 2010 10:12:37 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 2F74D3A6851 for <oauth@ietf.org>; Tue, 20 Apr 2010 10:12:31 -0700 (PDT)
Received: (qmail 17048 invoked from network); 20 Apr 2010 17:12:22 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 20 Apr 2010 17:12:21 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Tue, 20 Apr 2010 10:12:21 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "jsmarr@stanfordalumni.org" <jsmarr@stanfordalumni.org>
Date: Tue, 20 Apr 2010 10:12:28 -0700
Thread-Topic: [OAUTH-WG] Consistency in access token parameter
Thread-Index: AcrgqGYk6w2KL3q2RliGTWsxMrxFzAABCnyQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723438E5C7F52A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <C7F1D1FC.32809%eran@hueniverse.com> <4BCD3B85.3080809@lodderstedt.net> <2513A610118CC14C8E622C376C8DEC93D54D66DEAB@SC-MBXC1.TheFacebook.com> <90C41DD21FB7C64BB94121FBBC2E723438E5C7F456@P3PW5EX1MB01.EX1.SECURESERVER.NET> <r2lc334d54e1004200941r3c3461c2va51384d26b3b5e5b@mail.gmail.com>
In-Reply-To: <r2lc334d54e1004200941r3c3461c2va51384d26b3b5e5b@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723438E5C7F52AP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Consistency in access token parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2010 17:12:45 -0000
I still don't know where you stand on the actual proposal. Is the spec currently confusing? If it is, please suggest alternatives. EHL From: Joseph Smarr [mailto:jsmarr@gmail.com] Sent: Tuesday, April 20, 2010 9:42 AM To: Eran Hammer-Lahav Cc: Luke Shepard; oauth@ietf.org Subject: Re: [OAUTH-WG] Consistency in access token parameter In my experience, a frequent source of bugs/frustration for developers implementing OAuth 1.0 was the fact that we have multiple "tokens" that are easy to mix up and use in the wrong place. For instance, when I helped Dave Winer debug his implementation (see http://josephsmarr.com/2009/02/17/implementing-oauth-is-still-too-hard-but-it-doesnt-have-to-be/), the problem ended up being that he was passing his request-token instead of his access-token when making API requests (they're both returned as oauth_token, after all). (So I'd strongly urge us to pick as disparate names for the various "tokens" in OAuth 2.0 as possible, and to not use similar variable names when returning them, to minimize these chances of mix-up. It's probably also helpful if they look visually distinct, so it would be more obvious "oh, you're using the wrong kind of token here", but that may be too hard to enforce in practice.) Thanks, js On Tue, Apr 20, 2010 at 8:04 AM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote: There is an explanation (I'm not defending it, just explaining). In the flow endpoint I chose 'access_token' over token because of the refresh token. It seems better to talk about two different kinds of tokens than to have one generic 'token' and one with special meaning 'refresh_token'. The protected resource endpoint is the only place I agree requires a prefix because it always intrudes on another namespace or platform and the likelihood of a conflict is high. I used 'oauth_token' instead of 'oauth_access_token' for brevity thinking that it should be trivial to figure out what to put there (the only other option is a refresh token which isn't likely to be confused here). The header uses 'token' because it is a generic authentication scheme which doesn't mandate you use the OAuth flows to get a token. This is the only place I feel strongly about not changing it. Feel free to propose new names. EHL > -----Original Message----- > From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf > Of Luke Shepard > Sent: Tuesday, April 20, 2010 12:46 AM > To: oauth@ietf.org<mailto:oauth@ietf.org> > Subject: [OAUTH-WG] Consistency in access token parameter > > There are potentially three names for access tokens in this spec: > > - token > - access_token > - oauth_token > > You hit the /oauth/access_token endpoint, and get back access_token=blah. > Then you take that string and pass it to the protected resource as > oauth_token=blah. > > Developers that have prototyped things over here have found this to be > confusing. It's simpler to just take the same named param everywhere. > > I vote that one of two things happen: > > 1/ Return oauth_token from the access token endpoint. > 2/ Accept access_token on the protected resource endpoint. > 3/ Return "token" (and still "refresh_token") from the access_token > endpoint, and accept "token" on the protected resource. > > I know there will be infinite debate about the right way to do this, but just > wanted some thoughts for now. I will probably choose #2 as that seems most > explicit, even though it's a few more characters. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal David Recordon
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Marius Scurtescu
- Re: [OAUTH-WG] 'Scope' parameter proposal Dick Hardt
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- [OAUTH-WG] Consistency in access token parameter Luke Shepard
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Joseph Smarr
- Re: [OAUTH-WG] Consistency in access token parame… Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal John Kemp
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Chasen Le Hara
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Eve Maler
- Re: [OAUTH-WG] 'Scope' parameter proposal Manger, James H
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal Eran Hammer-Lahav
- Re: [OAUTH-WG] 'Scope' parameter proposal Brian Eaton
- Re: [OAUTH-WG] 'Scope' parameter proposal Torsten Lodderstedt
- Re: [OAUTH-WG] 'Scope' parameter proposal John Panzer
- Re: [OAUTH-WG] 'Scope' parameter proposal Keenan, Bill
- Re: [OAUTH-WG] 'Scope' parameter proposal Luke Shepard