IETF Logo Mail Archive

Re: [OAUTH-WG] Facebook, OAuth, and WRAP

Brent Goldman <brent@facebook.com> Wed, 25 November 2009 14:10 UTC

Return-Path: <brent@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C514328C226 for <oauth@core3.amsl.com>; Wed, 25 Nov 2009 06:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.156
X-Spam-Level:
X-Spam-Status: No, score=-6.156 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DUFYZ28hGdhT for <oauth@core3.amsl.com>; Wed, 25 Nov 2009 06:10:20 -0800 (PST)
Received: from mailout-sf2p.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 8F5F528C11A for <oauth@ietf.org>; Wed, 25 Nov 2009 06:10:20 -0800 (PST)
Received: from mail.thefacebook.com (intlb01.snat.snc1.facebook.com [10.128.203.18] (may be forged)) by pp02.snc1.tfbnw.net (8.14.1/8.14.1) with ESMTP id nAPE9oKZ006905 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 25 Nov 2009 06:09:51 -0800
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub01.TheFacebook.com ([192.168.18.104]) with mapi; Wed, 25 Nov 2009 06:10:10 -0800
From: Brent Goldman <brent@facebook.com>
To: Mike Malone <mjmalone@gmail.com>
Date: Wed, 25 Nov 2009 06:10:07 -0800
Thread-Topic: [OAUTH-WG] Facebook, OAuth, and WRAP
Thread-Index: Acpt2P7iKbd3qlrwQbikIj65NvDVrA==
Message-ID: <D37F2DDE-CF75-487D-A978-6330BD694803@facebook.com>
References: <148C596691F29F4EA6968577BE2CDFAE06A1B9FE@SC-MBXC1.TheFacebook.com> <a9d9121c0911241635p4f2cc394vefe350b2ce3daa22@mail.gmail.com> <cb5f7a380911242215x5d364b2fmc56a4aea19141dec@mail.gmail.com> <a9d9121c0911242240i4bab482ep4faca88ae27af2e5@mail.gmail.com>
In-Reply-To: <a9d9121c0911242240i4bab482ep4faca88ae27af2e5@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2009-11-25_10:2009-11-16, 2009-11-25, 2009-11-25 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-0911250106
X-Mailman-Approved-At: Wed, 25 Nov 2009 07:43:43 -0800
Cc: Naitik Shah <naitik@facebook.com>, Luke Shepard <lshepard@facebook.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Facebook, OAuth, and WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 14:10:23 -0000

On Nov 24, 2009, at 10:40 PM, Mike Malone wrote:

> On Tue, Nov 24, 2009 at 10:15 PM, John Panzer <jpanzer@google.com>  
> wrote:
>> On Tue, Nov 24, 2009 at 4:35 PM, Mike Malone <mjmalone@gmail.com>  
>> wrote:
>>>
>>> On Tue, Nov 24, 2009 at 10:57 AM, David Recordon
>>> <davidrecordon@facebook.com> wrote:
>>>>
>>>> The largest issue in Facebook moving to OAuth 1.0 (and yes,  
>>>> Eran's new
>>>> RFC is awesome) is the increase in the number of HTTP requests that
>>>> developers will need to make in comparison to our current  
>>>> authentication
>>>> mechanism.
>>>
>>> The OAuth _flow_ (in a browser) requires a couple additional  
>>> requests
>>> compared to Facebook Connect (in a browser). But Facebook Connect is
>>> really a different beast since it relies on the Browser and  
>>> Javascript
>>> to magically set cookies cross domain and whatnot. I agree that it's
>>> non-trivial to extend OAuth to cover this use case (we've sort of  
>>> done
>>> it at Six Apart and the flow is clunky and complicated). And even if
>>> you figure out how to make the flow work you can't really make
>>> requests purely on the client side without compromising your  
>>> consumer
>>> secret.
>>>
>>> That said, as far as I can tell, using OAuth for delegated
>>> communication via an intermediary (a web app or iPhone app, for
>>> example) should be doable for Facebook. The only real differences I
>>> see between OAuth and WRAP for this use case are:
>>>  * WRAP requires SSL instead of signing URLs
>>
>> Aside: If an SP specified OAuth PLAINTEXT signature mode, and used  
>> https:
>> URLs for its API, would there be any effective difference between  
>> OAuth and
>> WRAP for that SP?  (Best as I can tell the only difference would be a
>> mandated %26 character in the OAuth blob you pass in to get access,  
>> but I
>> may be missing something.)
>
> Yea, they're more or less the same. That's one use case for PLAINTEXT
> OAuth. You still have a "signature" though, it's just the base64'd
> signature base string.

If they're more or less the same (besides the difference you  
mentioned), then why not also create an SSL signature mode which  
leaves out the oauth_signature param? If SSL mode is this essentially  
the same as WRAP, why not actually make this the bridge between the  
two specs?

v2.23.0 | Report a Bug | By Email