Re: [OAUTH-WG] SASL / OAuth Binding Request: User Field
William Mills <wmills_92105@yahoo.com> Mon, 16 July 2012 22:04 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBF5611E82AE for <oauth@ietfa.amsl.com>; Mon, 16 Jul 2012 15:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=-0.400, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5c-D1nTI5S5 for <oauth@ietfa.amsl.com>; Mon, 16 Jul 2012 15:04:39 -0700 (PDT)
Received: from nm21-vm0.bullet.mail.ac4.yahoo.com (nm21-vm0.bullet.mail.ac4.yahoo.com [98.139.53.216]) by ietfa.amsl.com (Postfix) with SMTP id 657C511E82AD for <oauth@ietf.org>; Mon, 16 Jul 2012 15:04:39 -0700 (PDT)
Received: from [98.139.52.194] by nm21.bullet.mail.ac4.yahoo.com with NNFMP; 16 Jul 2012 22:05:20 -0000
Received: from [98.139.52.145] by tm7.bullet.mail.ac4.yahoo.com with NNFMP; 16 Jul 2012 22:05:19 -0000
Received: from [127.0.0.1] by omp1028.mail.ac4.yahoo.com with NNFMP; 16 Jul 2012 22:05:19 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 983462.27088.bm@omp1028.mail.ac4.yahoo.com
Received: (qmail 64759 invoked by uid 60001); 16 Jul 2012 22:05:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1342476319; bh=wKopkLO9Q3LYkOA04WnLFeNw2GUw+BnMx+Z9pK+RagQ=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=WT2+VC7Z9sohmza+ivnEy4gAI0dRnBIqZ9OqN81YPXFsVcKnpzlfX1ZArmP7bj66vLk0krVR1gbyZsOP38nRXx+HMLHbNlKL9fw02mbFEpWSKZOAzI4+7/q2UNJnLXHR2wo3EyelxdnfHvDT/VQZj7+Y/pCxH1/hu61bkBVGr3U=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=FZflKINgkPrXLcrAWrtV8eRMBtR7IdaekVxz8pJlAisHh8B0UqdRZVDt1k56NLSLd9yxT/FOF6GdGA6Wa8XqYBOM4q90VLBEWbXUSUKPmG+L9dPoDlqIu1B6byIlXecLqAF6TJZoQ0HSJBiEftykiDBTzWFxFy7oPAjVj8bK9bU=;
X-YMail-OSG: iz85rrkVM1mq.wfvgXjGs75yXUxxV8fFP.KCPecZnvSeI.3 mFNPGaSuzgZMV4MUVb6MiGI74DdoUXxzCg2ROi7fL7YP4RK7d0pRnCqQdQ5H uOnK7hsxwJjNzlhQu_D4KC184s3aX2WCW9XKj1RHYnfWvibyu9uT4Ph9QykD XywaL1tjGzdbOXd5n88j848aYamGkzKphdoDSAggIsTBoYG_k7ALgTGhXsUr kMx__Xq3kFI1pGmrKoeI.cjo5accEtB1pjXSf4GkJCYuG68LIMhfdkz7J0yg WJphRyyx9_zxxGlq0td7TS.n79QeFE6Ms_WCAlv6RTssJ9g05JTxnqeZG3NN 5wAO5UjnNwzwMHXiGlIBgdtvwR0hUuU1Ard3MBfENDFNf.BnqQFaLA.UARFl a92lJZh2.._lSKwYN0QUJCjVU.5SgofCH.Stwx3eBc5uu_vrhMJ1wwzAjK5u P6xGQMj1tjdjeEeJAPiwo2OEnP5M.Up4E9CmNgb2lj6P51LOIdSBANAbr1db I.Uxc
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Mon, 16 Jul 2012 15:05:19 PDT
X-Mailer: YahooMailWebService/0.8.120.356233
References: <CAPe4Cjr=XrCyubv2tihuRaO0tfidQToJ3_bMMpmxcZPsXDEQpg@mail.gmail.com>
Message-ID: <1342476319.1571.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Mon, 16 Jul 2012 15:05:19 -0700
From: William Mills <wmills_92105@yahoo.com>
To: Ryan Troll <rtroll@googlers.com>, "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <CAPe4Cjr=XrCyubv2tihuRaO0tfidQToJ3_bMMpmxcZPsXDEQpg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-867654983-1342476319=:1571"
X-Mailman-Approved-At: Tue, 17 Jul 2012 06:08:00 -0700
Subject: Re: [OAUTH-WG] SASL / OAuth Binding Request: User Field
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2012 22:04:40 -0000
(Routing this to Kitten WG) I don't have much of a preference here, on the one hand I think a plaintext hint is very reasonable, on the other I suspect people will be tempted to use it for more than that which would be bad. In the HTTP space it's easy for anyone using OAuth to put a plaintext cookie with the same function, but I dont' really want to try to bring a cookie carrying mechanism into the draft. -bill BCC: OAuth WG ________________________________ From: Ryan Troll <rtroll@googlers.com> To: oauth@ietf.org Sent: Monday, July 16, 2012 11:46 AM Subject: [OAUTH-WG] SASL / OAuth Binding Request: User Field I'd like to discuss the possibility of adding a "user" field to the SASL/OAuth request. This is based on draft-ietf-kitten-sasl-oauth-00.txt. Background The contents of this field may be used by the resource provider as a hint to aid in request routing, and/or data location, without the need for decrypting the provided access token. The contents of the user field is not used to grant access of any kind. Proposed Addition The text of this addition could look something like this: Section 3.1 addition / update: user: Contains the user ID of the user being authorized > >In authorization schemes that use signatures, the client MUST send host, port number and user key/values, and the server MUST fail authorization requests requiring signatures that do not have host, port, and user values. Section 3.2 addition: If the user field is present, the ID in the user field must match the ID obtained from the credential for the request to succeed. Rationale for Presence of User Field in the Request This data is not required by all resource providers, and as such could be a provider-specific requirement, placed (for example) in the query string. By documenting the user field, we encourage resource providers that do require it to find it in the same location - encouraging inter-operability. The user identity could be determined via the access token, rather than requiring it in the request. However, using the access token to determine the identity can result in the resource provider decoding the token multiple times, or making multiple requests to the access provider. By pulling this attribute out into the protocol, we may be able to simplify the resource provider work required when moving to OAuth. Rationale for Location of User Field This data could be transmitted as part of the path, or a query string parameter, or in the post body. This approach, using a header, was proposed as there are currently no path, query string, or post fields defined. Those three locations remain untouched by this proposal. Comments? -R _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] SASL / OAuth Binding Request: User Fie… Ryan Troll
- Re: [OAUTH-WG] SASL / OAuth Binding Request: User… William Mills