IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 26 January 2011 07:06 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4086B3A684D for <oauth@core3.amsl.com>; Tue, 25 Jan 2011 23:06:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKdNhFtxGgEo for <oauth@core3.amsl.com>; Tue, 25 Jan 2011 23:06:07 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 687943A6837 for <oauth@ietf.org>; Tue, 25 Jan 2011 23:06:07 -0800 (PST)
Received: (qmail 24701 invoked from network); 26 Jan 2011 07:09:07 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 26 Jan 2011 07:09:06 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 26 Jan 2011 00:08:38 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 26 Jan 2011 00:08:20 -0700
Thread-Topic: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
Thread-Index: Acu89LN66p08z4dDQteVDaHi1DDgdQAMeu1A
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723445A8D62545@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <20110121004501.28103.96097.idtracker@localhost> <90C41DD21FB7C64BB94121FBBC2E723445A8D61C8E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E723445A8D61CBA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimzOErQhT_gjdQrcawVgfsnr_2RVtTOYRoP-fcR@mail.gmail.com>
In-Reply-To: <AANLkTimzOErQhT_gjdQrcawVgfsnr_2RVtTOYRoP-fcR@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2011 07:06:09 -0000

Thanks Marius.

> -----Original Message-----
> From: Marius Scurtescu [mailto:mscurtescu@google.com]
> Sent: Tuesday, January 25, 2011 5:02 PM
> To: Eran Hammer-Lahav
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
> 
> On Thu, Jan 20, 2011 at 9:41 PM, Eran Hammer-Lahav
> <eran@hueniverse.com> wrote:
> > Forgot to mention that I don't have any outstanding comments in my
> queue so if your feedback was not incorporated into -12, and you feel
> strongly about it, bring it up again.
> 
> From an older email, adapted to v12:
> 
> 
> 1. The token_type parameter is required in responses from the server.
> If the server supports multiple formats, which one will be used? In this case,
> would it make sense to allow the client to request a specific format?
> 
> For example, if the authorization server supports both MAC and BEARER,
> which one will the server issue?

It might in some cases, but I suspect most providers are going to decide which scheme provides the right level of security for them and just use that. If you are going to allow both MAC and BEARER, you are basically letting clients decide which level to operate at. Do you have a need or plan to support multiple token types?
 
> 2. Section 8.2. What about applications using legacy parameters? Does not
> make much sense to register them, and they cannot be changed to x_.
> Broken record: using a prefix for all registered parameters is much cleaner (as
> opposed to requiring that all no-registered parameters use a prefix).
> 
> For Google it is impossible to comply with this requirement.

What legacy parameters do you have? Since OAuth 2.0 endpoints are brand new, this is probably about extension parameters in the authorization endpoint from OAuth 1.0 or AuthSub? I think the legacy parameters problem is pretty small, given the number of existing *token* and *authorization* endpoints with custom parameters (that were not pulled into the specification such as scope), but it would be good to know what we are dealing with.

Overall, this is a pretty minor issue. I assume you don't have any conflicts today with the v2 specification. Any conflicts you might have in the future (for which this x_ prefix is meant for) with new extensions is probably going to be minor. And Google can always join the work to make sure they pick a less conflicting name... this is where the registration process really helps to avoid clashes.

EHL

v2.23.0 | Report a Bug | By Email