IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints

David Recordon <recordond@gmail.com> Fri, 16 April 2010 19:14 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7996028C1A2 for <oauth@core3.amsl.com>; Fri, 16 Apr 2010 12:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nedOZdEv5iTE for <oauth@core3.amsl.com>; Fri, 16 Apr 2010 12:14:38 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 9C0B428C192 for <oauth@ietf.org>; Fri, 16 Apr 2010 12:14:14 -0700 (PDT)
Received: by pvf33 with SMTP id 33so1963397pvf.31 for <oauth@ietf.org>; Fri, 16 Apr 2010 12:14:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=PtfNaqdH1Xa9Q4S6AKEEgc+3v3YgdMHbMfIAro/+5pk=; b=pphlr/xGXn119vyhIk854d95oUoWW4r2GXLbE8NG1Mxpv/iQF9VoDGNR5qEfKl7VeA YJMpCOw2UOekkoX+AtVDYkffFu0EOVn38I2zphv9kq9Rnl8ObeBWhqaXCRPKXn0tTzoP ro1fBoxchqPWe3uXYLDX3tryBp262VREjXwYY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=sPwP8dfcZFZxDpNfdcPMNcrAb+GuL4t7eJJqFxa8J+utM0q9dLRU422qgK+LzQnMu2 KftkWePQ0cISv09GaR8M0I+kCiBHdScNcuvBC/RJ1xmh3tA3CyOjN7WCe8rWoNYiVLel xXq2jfyABseBSn48HtOD6eb6OJWMXsH+oPQdw=
MIME-Version: 1.0
Received: by 10.231.182.196 with HTTP; Fri, 16 Apr 2010 12:14:04 -0700 (PDT)
In-Reply-To: <2513A610118CC14C8E622C376C8DEC93D54D66DCF7@SC-MBXC1.TheFacebook.com>
References: <C7ECABE0.32344%eran@hueniverse.com> <255B9BB34FB7D647A506DC292726F6E11257481003@WSMSG3153V.srv.dir.telstra.com> <9E18821D-E128-468A-9778-9D9D049B716F@jkemp.net> <2513A610118CC14C8E622C376C8DEC93D54D66DCF7@SC-MBXC1.TheFacebook.com>
Date: Fri, 16 Apr 2010 12:14:04 -0700
Received: by 10.114.186.14 with SMTP id j14mr2189458waf.60.1271445244460; Fri, 16 Apr 2010 12:14:04 -0700 (PDT)
Message-ID: <r2tfd6741651004161214l8090caf8udc1f564b88af69e4@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Luke Shepard <lshepard@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 19:14:52 -0000

Talked with Luke and now remember earlier conversations about two
URLs. We'll likely do www.facebook.com for user interactions and
api.facebook.com for server stuff.


On Fri, Apr 16, 2010 at 9:58 AM, Luke Shepard <lshepard@facebook.com> wrote:
> I guess I would prefer two URLs as well, but I see the simplicity argument as well:
>
>>> Constraints for endpoints:
>>> access token URL: HTTPS and POST only, no user
>>> user authentication URL: HTTP or HTTPS, GET or POST, authenticated user
>
> In either case, we should not restrict the access token URL to POST-only. A GET request is just as secure and can be much easier to write code for (just construct the URL and ping, no need to figure out CURLOPT_POSTFIELDS).
>
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of John Kemp
> Sent: Thursday, April 15, 2010 7:11 PM
> To: Manger, James H
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
>
> On Apr 15, 2010, at 9:22 PM, Manger, James H wrote:
>
>> I strongly favour specifying 2 separate endpoints: one for where to redirect a user, another for direct client calls.
>
> I agree.
>
>>
>> I agree with Marius that these two endpoints are different enough to be separate.
>> One is only used by users via browsers. The other is only used by client apps. These are different populations, using different authentication mechanisms, with different performance requirements, and different technologies.
>>
>> The use of a type parameter is a poor tool to distinguishes these cases.
>>
>> I guess 1 URI could default to the other if not defined.
>> 1 URI could be allowed to be relative to the other to save some bytes.
>
> I agree with this reasoning too.
>
> - johnk
>
>>
>> --
>> James Manger
>>
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
>> Sent: Friday, 16 April 2010 4:41 AM
>> To: OAuth WG
>> Subject: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
>>
>> OAuth 2.0 defines a single authorization endpoint with a 'type' parameter
>> for the various flows and flow steps. There are two types of calls made to
>> the authorization endpoint:
>>
>> - Requests for Access - requests in which an end user interacts with the
>> authorization server, granting client access.
>>
>> - Requests for Token - requests in which the client uses a verification code
>> or other credentials to obtain an access token. These requests require
>> SSL/TLS because they always result in the transmission of plaintext
>> credentials in the response and sometimes in the request.
>>
>> A proposal has been made to define two separate endpoints due to the
>> different nature of these endpoints:
>>
>> On 4/6/10 4:06 PM, "Marius Scurtescu" <mscurtescu@google.com> wrote:
>>
>>> Constraints for endpoints:
>>> access token URL: HTTPS and POST only, no user
>>> user authentication URL: HTTP or HTTPS, GET or POST, authenticated user
>>>
>>> In many cases the above constraints can be enforced with configuration
>>> that sits in front of the controllers implementing these endpoints.
>>> For example, Apache config can enforce SSL and POST. Same can be done
>>> in a Java filter. Also a Java filter can enforce that only
>>> authenticated users hit the endpoint, it can redirect to a login page
>>> if needed.
>>>
>>> By keeping two different endpoints all of the above is much simpler.
>>> Nothing prevents an authz server to collapse these two into one
>>> endpoint.
>>
>> While requests for access do not require HTTPS, they should because they
>> involve authenticating the end user. As for enforcing HTTP methods (GET,
>> POST), this is simple to do both at the server configuration level or
>> application level.
>>
>> On the other hand, having a single endpoint makes the specification simpler,
>> and more importantly, makes discovery trivial as a 401 response needs to
>> include a single endpoint for obtaining a token regardless of the flow (some
>> flows use one, others two steps).
>>
>> A richer discovery later can use LRDD on the single authorization endpoint
>> to obtain an XRD describing the flows and UI options provided by the server.
>> But this is outside our scope.
>>
>> Proposal: No change. Keep the single authorization endpoint and require
>> HTTPS for all requests.
>>
>> EHL
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email