Re: [OAUTH-WG] Draft 20 last call comments
Eran Hammer-Lahav <eran@hueniverse.com> Wed, 17 August 2011 18:15 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1CE21F8BF9 for <oauth@ietfa.amsl.com>; Wed, 17 Aug 2011 11:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level:
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cn1L4lHarcst for <oauth@ietfa.amsl.com>; Wed, 17 Aug 2011 11:15:50 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id AFD7E21F8BE8 for <oauth@ietf.org>; Wed, 17 Aug 2011 11:15:50 -0700 (PDT)
Received: (qmail 30564 invoked from network); 17 Aug 2011 18:16:41 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 17 Aug 2011 18:16:41 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 17 Aug 2011 11:16:31 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Justin Richer <jricher@mitre.org>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Wed, 17 Aug 2011 11:15:15 -0700
Thread-Topic: [OAUTH-WG] Draft 20 last call comments
Thread-Index: AcxYcNP9BMbO/ni8T3yA7gll5itVuwEgmb+A
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345029DFA82D@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <1313096811.22073.96.camel@ground>
In-Reply-To: <1313096811.22073.96.camel@ground>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "Anganes, Amanda L" <aanganes@mitre.org>
Subject: Re: [OAUTH-WG] Draft 20 last call comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2011 18:15:51 -0000
Thanks for the feedback. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Justin Richer > Sent: Thursday, August 11, 2011 2:07 PM > 1.2/1.4: The term "authorization grant" remains confusing and the > introduction is riddled with jargon like "intermediate credential". With the > diagram in 1.2, it appears to be an explicit technological underpinning of the > protocol flow instead of a general conceptual construct that is used in several > different ways. Basically, what "authorization grant" *means* is not obvious > within this document. > > Section 4 makes much more sense than the introduction text does here. > Perhaps we should just replace most of 1.4 with just the introductory text to > 4 (perhaps slightly expanded), and then a reference to the sub-parts of > section 4 for the meat of the concept (and in the process, nix the subsections > of 1.4 entirely). > > 1.2(B): "Provided" is wrong here (it implies a direct hand-over), and the last > sentence is awkward. Suggest reword to: > The client receives an authorization grant which represents the > authorization granted by the resource owner. The type of > authorization grant is dependent on which methods are supported > by both the client and authorization server. Change (B) in 1.2 to: The client receives an authorization grant which is a credential representing the resource owner's authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server. And changed 1.4 to: An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token. This specification defines four grant types: authorization code, implicit, resource owner password credentials, and client credentials, as well as an extensibility mechanism for defining additional types. > 1.3/1.4/1.5: Consider switching order to Authorization Grant, Access Token, > Refresh Token Not sure. What do others think? I put access token first because it is a more important term to get out of the way. > 1.4.1: We probably want to mention a user agent here in the exposure risk at > the end. Since that's really the problem -- the browser could steal the token, > not the end user. Proposed text? > 1.4.2: Still don't like the term "implicit". It's misleading. Even "direct > authorization" would be better, though still not ideal. It's the best we've got. "Direct authorization" is not a grant type, but a flow description. > 1.4.5: Throw a simple reference to 8.3 here? No forward references whenever possible. > 2: Isn't "means" generally treated as singular in instances like this? > Thus "means ... is" instead of "means ... are". Don't know. > 2.1/2.2: The requirements (2.2) should go first in section 2. The client types > are part of deciding the requirements, and the concepts flow better this way. You need to first define client types before you can require it. > 2.1: I like the calling out of the types of clients, it helps cement things. > > 2.3: Suggest renaming to "Client Identification" to parallel "Client > Authentication" in 2.4 It's not about identification. > 2.3: Should "... cannot be used alone" be made into a normative, as "... > MUST NOT be used alone"? I'm ok with that. Anyone else? > 2.4.2: Want to mention the MAC binding as an example here? This would > parallel the OAuth2 method of signing the fetch for a request token more > directly. Nah. > 3. Authorization endpoint's "used to obtain authorization from" should be > "used to obtain an authorization grant from", to be parallel with the token > endpoint description. Ok. EHL
- [OAUTH-WG] Draft 20 last call comments Justin Richer
- Re: [OAUTH-WG] Draft 20 last call comments Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comments Justin Richer
- Re: [OAUTH-WG] Draft 20 last call comments Eran Hammer-Lahav
- Re: [OAUTH-WG] Draft 20 last call comments Lodderstedt, Torsten
- Re: [OAUTH-WG] Draft 20 last call comments Justin Richer
- Re: [OAUTH-WG] Draft 20 last call comments Torsten Lodderstedt