IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 15 July 2010 18:36 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0EEF73A6971 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:36:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbA7vjgGmXWU for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:36:25 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 976FA3A6A74 for <oauth@ietf.org>; Thu, 15 Jul 2010 11:36:20 -0700 (PDT)
Received: (qmail 29522 invoked from network); 15 Jul 2010 18:36:30 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Jul 2010 18:36:30 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 15 Jul 2010 11:36:21 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Luke Shepard <lshepard@facebook.com>
Date: Thu, 15 Jul 2010 11:36:13 -0700
Thread-Topic: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
Thread-Index: AcskTJ7hBPsBn3XQQyWpNc2p2vpumg==
Message-ID: <DE089E9F-35D6-4805-AC77-F86F2642810B@hueniverse.com>
References: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com> <1279205969.18579.55.camel@localhost.localdomain> <AANLkTildz62l2Me26Dlrv5nNmp8Z3P8JD1K-ChcWc5IO@mail.gmail.com> <AANLkTill8k-fUFt-IZLWdZinScj4fSBoI4rAiAf1PrYR@mail.gmail.com> <1279216291.18579.61.camel@localhost.localdomain> <74AEEFD7-04B3-4B28-970E-0DB554728BED@facebook.com>
In-Reply-To: <74AEEFD7-04B3-4B28-970E-0DB554728BED@facebook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 18:36:28 -0000
X-List-Received-Date: Thu, 15 Jul 2010 18:36:28 -0000

Framing the argument against "having a 2 in it" as bikeshedding is missing the point. My reason against using OAuth2 is that is will undermine all the work put in to build an extensible framework that can evolve without needing a whole new version. By putting a version number, we make it more attractive to change the protocol than extend it.

So far the arguments made are all theoretical.

I will maintain  my objection and preference to reuse the existing names until someone with an existing 1.0 deployment can make a compelling reason why they can rely on the presence of the oauth_signature_method to differentiate. 

EHL



On Jul 15, 2010, at 14:24, "Luke Shepard" <lshepard@facebook.com> wrote:

> 
> On Jul 15, 2010, at 10:51 AM, Justin Richer wrote:
> 
>> It was discussed before, but I don't remember there being any consensus
>> in the group. What are the practical reasons for not using "oauth2"
>> namespacing in the one place we still use namespacing? Most of what I've
>> heard seems to sound like "I don't like it to have a 2 on it". 
> 
> I don't like it to have a 2 in it.
> 
>> I don't want to have to set up the OAuth 2 system to have to catch
>> failed cases of the OAuth 1 protocol. A good OAuth 2 call and a bad
>> OAuth 1 call should be distinguishable from the start. Also, what about
>> when we finally get a signed-request going? I would assume that that's
>> going to add back in things like oauth_signature, oauth_nonce, and the
>> other parameters whose absence you should filter on. 
> 
> The latest signature discussions have all focused on a single, self-contained, signed parameter that includes both data and signature. I think it's unlikely that we will introduce the plethora of parameters that we had in OAuth 1.0.
> 
>> -- Justin
>> 
>> On Thu, 2010-07-15 at 13:37 -0400, David Recordon wrote:
>>> I thought this topic had been beaten to death before. An OAuth 1.0
>>> protected resource request includes a variety of oauth_ parameters
>>> whereas OAuth 2.0 just has oauth_token.
>>> 
>>> 
>>> --David
>>> 
>>> 
>>> On Thu, Jul 15, 2010 at 10:12 AM, Brian Eaton <beaton@google.com>
>>> wrote:
>>>       On Thu, Jul 15, 2010 at 7:59 AM, Justin Richer
>>>       <jricher@mitre.org> wrote:
>>>> +1 on OAuth2 header, and I also want to see oauth2_token in
>>>       URI and form
>>>> parameter methods.
>>> 
>>> 
>>>       Good point about the query parameter names needing to be
>>>       unambiguous.
>>> 
>>>       _______________________________________________
>>>       OAuth mailing list
>>>       OAuth@ietf.org
>>>       https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.38.3 | Report a Bug | By Email | System Status