Re: [OAUTH-WG] conf call follow up from today

"Richer, Justin P." <> Mon, 04 February 2013 21:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7235C21F8456 for <>; Mon, 4 Feb 2013 13:37:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.565
X-Spam-Status: No, score=-6.565 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BfnXmI5cHynB for <>; Mon, 4 Feb 2013 13:37:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E487D21F8B14 for <>; Mon, 4 Feb 2013 13:37:08 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 8440A531114A; Mon, 4 Feb 2013 16:37:08 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG ( []) by (Postfix) with ESMTP id 748835311132; Mon, 4 Feb 2013 16:37:08 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([]) by IMCCAS03.MITRE.ORG ([]) with mapi id 14.02.0318.004; Mon, 4 Feb 2013 16:37:07 -0500
From: "Richer, Justin P." <>
To: William Mills <>
Thread-Topic: [OAUTH-WG] conf call follow up from today
Thread-Index: AQHOAx/HMw1LSuuzGkiPKErnOGKKJg==
Date: Mon, 04 Feb 2013 21:37:06 +0000
Message-ID: <B33BFB58CCC8BE4998958016839DE27E068866EF@IMCMBX01.MITRE.ORG>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E068866EFIMCMBX01MITREOR_"
MIME-Version: 1.0
Cc: O Auth WG <>
Subject: Re: [OAUTH-WG] conf call follow up from today
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Feb 2013 21:37:12 -0000

What if we define a means to request OAuth1 style tokens from an OAuth2 auth/token endpoint, but defer to OAuth1 for methods of how to use the token at protected resources?

 -- Justin

On Feb 4, 2013, at 3:22 PM, William Mills <<>> wrote:

1)  I think that we need to focus on specific solutions, as I said on the call, and solve the OAuth 1.0a/MAC use case.  There's significant installed base of OAuth 1.0a and we need a path for those installations into OAuth 2.0.  I may well pursue MAC in the interim to do this, but a full HOK solution woul work too.

2)  I think the discussion we were having about "which authenticator to use" falls squarely into the endpoint discovery discussion and we should put that energy into endpoint discovery as distinct from HOK.

3)  We haven't talked yet about how a client will be able to specify a token type if it wants a specific one.  OAuth 2 core will need to be extended to support this.

4)  We should leave the key distribution/discovery mechanism either out of scope or define it explicitly per HOK token type profile.  This will have to work with the extensions for #3 above.

5)  I want to avoid the problem in OAuth 1.0a of having to support and accept every possible signing mode.  Being force to accept PLAINTEXT sucks.  We need a way for the discovery endpoint to mandate a specific set of allowed signature methods.



OAuth mailing list<>