IETF Logo Mail Archive

Re: [OAUTH-WG] First draft of OAuth 2.0

David Recordon <recordond@gmail.com> Tue, 23 March 2010 19:16 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC0F33A6B5A for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 12:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fUyJJw3pA4d for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 12:16:17 -0700 (PDT)
Received: from mail-px0-f183.google.com (mail-px0-f183.google.com [209.85.216.183]) by core3.amsl.com (Postfix) with ESMTP id 0E3A83A69C6 for <oauth@ietf.org>; Tue, 23 Mar 2010 12:16:14 -0700 (PDT)
Received: by pxi13 with SMTP id 13so3560665pxi.17 for <oauth@ietf.org>; Tue, 23 Mar 2010 12:16:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=/jCjcLrdjng63VRq75oYAbxDq7Q0pUsTpNY6sPeY8+s=; b=hUZV2KSP7BaXlAMt5SJ1bCvf3F+fs5ZreOt5/a3BNc/46zki2NPHZl7V/HmnBD5OWj P/Zn7vnGO/Oav+Y2YCi9rZBM9C8rRnlbh42AIulPPQthPxwP55FVlvLMkFl6cgVSN4jz P2Djkf4qPSt/YiqqpT85s5edljkPZ8BUBaC4s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=t2c9pyjHiMP1pvlb/s7sVIZaASrS7TJ7XU2UOsMZMCvqGgt06/5H/1x4pa6oiI/G4j wQvdQnNpe7EI+QL+7HTlOdgyVX+2gLAFoxGmNMq5L2CDvK6p5P9kR/loK94pbEn9wcak x3HrHvNIW91F7qkHh4mGlBU2tMVWw8co3/JHI=
MIME-Version: 1.0
Received: by 10.141.90.12 with SMTP id s12mr3939562rvl.248.1269371790990; Tue, 23 Mar 2010 12:16:30 -0700 (PDT)
In-Reply-To: <-7251685435772011473@unknownmsgid>
References: <OFF96BDDB5.0F452F7D-ON802576EF.003FF4EA-802576EF.0040455E@ie.ibm.com> <E558602B-48A1-4FB9-AB9D-0BC94DFCCC18@lodderstedt.net> <fd6741651003231047s419db471x98098a2e46aab168@mail.gmail.com> <-7251685435772011473@unknownmsgid>
Date: Tue, 23 Mar 2010 12:16:30 -0700
Message-ID: <fd6741651003231216pbb0ac4dq9f60a1094cbb180b@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] First draft of OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 19:16:18 -0000

On Tue, Mar 23, 2010 at 11:58 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
> David: perhaps if you asked the list about features before dropping
> them we would not all have to argue with you about why to put them
> back in.

My goal by removing some of the non-obvious things was to encourage
the discussion which has now started! Many of the design decisions
that went into WRAP haven't entirely been shared in public. Since one
of our major goals is developer simplicity it's reasonable to start
with less and justify everything that's being added.  As the working
group has seen, I'm really willing to add things back in once the
reasoning has been explained (error codes, SAML flow, etc).


> Frankly I was surprised that you did not circulate the draft
> to me as editor of WRAP.

I focused on getting feedback from consumer web deployers of OAuth 1.0
(Twitter and Digg) who haven't participated in these discussions yet
as they're extremely important to technology adoption.  I also spoke
to Google, Microsoft, and Yahoo! as they were the three companies who
developed WRAP together.  I'm sorry if I rubbed you the wrong way, but
until this IETF meeting I didn't know that you were planning to deploy
OAuth 2.0 as you were no longer working for Microsoft.  This shouldn't
prevent us from working together on making OAuth 2.0 rock. :)


> WG Chairs: Is this draft now the draft that the WG is working on and
> is David now the editor for the WG?
>
> -- Dick
>
> On 2010-03-23, at 10:47 AM, David Recordon <recordond@gmail.com> wrote:
>
>> Hey Chuck,
>> Thanks for rewriting the SAML flow into the style of my draft!  I
>> really appreciate it.
>>
>> I originally dropped the SAML flow because I hadn't seen support for
>> it on the mailing list(s) the past two months.  I think that our
>> default should be making the spec as short and simple as possible so
>> removed a few things from WRAP in order to start conversations like
>> this one.  It's now clear that Google, Microsoft, Salesforce, and IBM
>> all need the SAML profile.  Chuck, I'll merge your wording in.  Want
>> to be listed as an author?
>>
>> We're also going to need to figure out which flows should be in the
>> core spec versus which should be developed at the same time but in
>> individual documents.
>>
>> Thanks,
>> --David
>>
>> On Tue, Mar 23, 2010 at 4:50 AM, Torsten Lodderstedt
>> <torsten@lodderstedt.net> wrote:
>>> +1 for assertion support
>>>
>>> what about enhancing the flow #2.4 to accept any kind of user
>>> credentials
>>> (username/password, SAML assertions, other authz servers tokens)
>>>
>>> regards,
>>> Torsten.
>>>
>>> Am 23.03.2010 um 12:42 schrieb Mark Mcgloin
>>> <mark.mcgloin@ie.ibm.com>:
>>>
>>>> +1 for assertion profile. Was there any reason why it was dropped?
>>>>
>>>> On 3/23/10, Chuck Mortimore wrote:
>>>>>
>>>>> Just getting a chance to review this – I apologize for not get
>>>>> ting this
>>>>
>>>> before the meeting started.
>>>>
>>>>> We’d like to see some form of an Assertion Profile, similar to
>>>>>  section
>>>>> 5.2
>>>>
>>>> from draft-hardt-oauth-01.   We have strong customer use-cases for
>>>> an
>>>> assertion based flow, specifically SAML bearer tokens, and I
>>>> >believe
>>>> Microsoft may have already shipped a minor variation on this
>>>> ( wrap_SAML )
>>>> in Azure.
>>>>
>>>>
>>>> Mark McGloin
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email