Re: [OAUTH-WG] return to draft 6 spec org?
Eran Hammer-Lahav <eran@hueniverse.com> Sun, 11 July 2010 14:37 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBF093A6979 for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 07:37:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.336
X-Spam-Level:
X-Spam-Status: No, score=-2.336 tagged_above=-999 required=5 tests=[AWL=0.262, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNZQl9r74Tz4 for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 07:37:40 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 87A6C3A6986 for <oauth@ietf.org>; Sun, 11 Jul 2010 07:37:40 -0700 (PDT)
Received: (qmail 2346 invoked from network); 11 Jul 2010 14:37:46 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 11 Jul 2010 14:37:45 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Sun, 11 Jul 2010 07:37:45 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Eaton <beaton@google.com>, OAuth WG <oauth@ietf.org>
Date: Sun, 11 Jul 2010 07:37:43 -0700
Thread-Topic: [OAUTH-WG] return to draft 6 spec org?
Thread-Index: AcsgsAgjFOdFxRVORMWvRjo+mDi0HAAVpbJm
Message-ID: <C85F2547.36FD6%eran@hueniverse.com>
In-Reply-To: <AANLkTiknyfz3PMoP1l2wLIMB3Qptq34xMYUfyHNuhGLL@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C85F254736FD6eranhueniversecom_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] return to draft 6 spec org?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 14:37:44 -0000
The spec organization isn't about reusing prose, but about providing a consistent and well-defined protocol architecture. WRAP called the different flows for each client 'profiles' which was wrong in WRAP because it wasn't actually profiling anything - it was describing completely separate flows. The current spec went back to calling them profiles because now they are truly profiles of the generic framework defined by the two endpoints. I am unhappy with the current state of the client profiles in the introduction so we agree on that. But where you call for a complete restructure, I prefer making the current structure more useful. I think the way to solve it is to make them more detailed and normative. This will retain the general framework as current specified, but will provide a reference-able description of useful profiles. This will also make it easier to discuss the security attributes of each profile. In addition, it is probably only be useful to define the user-agent and web-based as fully specified profiles, given that the rest are not really profiles but vague guidelines as to how to use OAuth for other "stuff". EHL On 7/10/10 9:15 PM, "Brian Eaton" <beaton@google.com> wrote: I think it would be a good idea to return to the draft 6 organization. Draft 6: normative language for each flow was called out separately, and was described from start to finish, in chronological order, with no interruption. Each step showed what a client should send, and what an authorization server should return. Draft 7 and further: flows are merged to reuse spec language. Steps for any given use case are now interrupted with steps for other use cases. For example, consider a client developer who wants to implement the web server flow. First they have to read section 3.1, to describe the redirect they need to send to the authorization server. Then they read section 3.2, to see the redirect back. Then they read section 4.1.1, to see the request they send to the authorization server. Then they skip a few pages, because they don't care about assertions or passwords or refresh tokens. They they read section 4.2, to see the response from the authorization server. Then they skip several more pages to get to section 5, so they can access data. Then they skip back to section 4.1.4, because they need to refresh their token. Compare this to draft 6: - read section 2.5 this is everything you need to get a token, with no intervening cruft about credentials you don't have. - read section 4 this is everything you need to use a token. - read section 3 this is everything you need to refresh a token. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] return to draft 6 spec org? Brian Eaton
- Re: [OAUTH-WG] return to draft 6 spec org? Eran Hammer-Lahav
- Re: [OAUTH-WG] return to draft 6 spec org? Brian Eaton
- Re: [OAUTH-WG] return to draft 6 spec org? Eran Hammer-Lahav
- Re: [OAUTH-WG] return to draft 6 spec org? Darren Bounds
- Re: [OAUTH-WG] return to draft 6 spec org? Brian Eaton
- Re: [OAUTH-WG] return to draft 6 spec org? Nat