IETF Logo Mail Archive

Re: [OAUTH-WG] Redirects

Luke Shepard <lshepard@facebook.com> Fri, 07 May 2010 05:55 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D6823A6B3F for <oauth@core3.amsl.com>; Thu, 6 May 2010 22:55:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.984
X-Spam-Level:
X-Spam-Status: No, score=-2.984 tagged_above=-999 required=5 tests=[AWL=0.280, BAYES_00=-2.599, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8u0JIfxm1P8 for <oauth@core3.amsl.com>; Thu, 6 May 2010 22:55:49 -0700 (PDT)
Received: from mailout-snc1.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 579B43A6CAB for <oauth@ietf.org>; Thu, 6 May 2010 22:51:48 -0700 (PDT)
Received: from mail.thefacebook.com ([192.168.18.104]) by pp01.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o475pGpb004974 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 6 May 2010 22:51:16 -0700
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub01.TheFacebook.com ([192.168.18.104]) with mapi; Thu, 6 May 2010 22:51:34 -0700
From: Luke Shepard <lshepard@facebook.com>
To: David Recordon <recordond@gmail.com>
Date: Thu, 06 May 2010 22:51:33 -0700
Thread-Topic: [OAUTH-WG] Redirects
Thread-Index: AcrtqVm9Kr8dDE2/SXyChXm5hxI53g==
Message-ID: <E111581C-87CE-44F1-881D-C512FAC7B203@facebook.com>
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B257D@WSMSG3153V.srv.dir.telstra.com> <v2nfd6741651005062235g211564dfr6aaf6a72bf4dfaa@mail.gmail.com>
In-Reply-To: <v2nfd6741651005062235g211564dfr6aaf6a72bf4dfaa@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_E111581C87CE44F1881DC512FAC7B203facebookcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-05-07_01:2010-02-06, 2010-05-07, 2010-05-06 signatures=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Redirects
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 05:55:50 -0000

It's not really up to the client. If https://api.example.com/pr?access_token=loin21op redirects to https://api.otherapi.com/somethingelse?access_token=loin21op, then I just need to follow the redirect - no decisions to be made by the client. Many low-level HTTP libraries will just do this automatically. There are already facilities to warn if you try to redirect from an https url to an http one.

I think the difference between your cookie example and OAuth token is that cookies are automatically sent on every request, so there have to be rules about when they are automatically appended. OAuth access tokens aren't the same thing - they are explicitly added by developers on each request, so we don't need to overspecify rules in the protocol that should be handled by developers.


On May 6, 2010, at 10:35 PM, David Recordon wrote:

Why wouldn't the client send the token with the new request? If I'm trying to access https://api.example.com/pr?access_token=loin21op and I get a 301 response, I'll need to follow that if I want any chance of accessing the protected resource.

Maybe we're saying the same thing?


On Thu, May 6, 2010 at 10:21 PM, Manger, James H <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote:
How should an OAuth client app behave when it gets an HTTP redirect on requesting a protected resource?
Similarly, how should it behave when it follows any other link in a response?

Obviously it should make a new request to the URI in the redirect or link — that is normal HTTP and hypertext behaviour.
The question is does the token get sent with the new request?


I think the spec needs to provide an answer, even if it isn’t my suggestion of an “sites” list when a token is issued.

--
James Manger

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


<ATT00001..txt>

v2.23.0 | Report a Bug | By Email