IETF Logo Mail Archive

Re: [OAUTH-WG] consistency of token param name in bearer token type

John Bradley <ve7jtb@ve7jtb.com> Wed, 15 June 2011 18:04 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E2A11E80C7 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 11:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLQgkXIoFiD0 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 11:04:26 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1F11411E808D for <oauth@ietf.org>; Wed, 15 Jun 2011 11:04:25 -0700 (PDT)
Received: by fxm15 with SMTP id 15so686191fxm.31 for <oauth@ietf.org>; Wed, 15 Jun 2011 11:04:25 -0700 (PDT)
Received: by 10.223.61.82 with SMTP id s18mr37101fah.44.1308161064860; Wed, 15 Jun 2011 11:04:24 -0700 (PDT)
Received: from [192.168.1.210] ([190.22.14.136]) by mx.google.com with ESMTPS id 11sm369449fax.12.2011.06.15.11.04.18 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 15 Jun 2011 11:04:24 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234475E986B03@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 15 Jun 2011 14:04:13 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <EE7EE150-2E4E-40E3-ADB5-DB1C080DD637@ve7jtb.com>
References: <BANLkTim1VRggQ8W-7WHVcXboOaPr-RcN_A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943380F6A46@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTimQkzW7r-GV7cu67W4Doo7q9JZLnw@mail.gmail.com> <4DE541B5.6080605@aol.com> <BANLkTikMp-=EO9jwdyGFm8=COr_MsSEjbw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739433810E906@TK5EX14MBXC203.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E7234475E986B03@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1084)
Cc: paul Tarjan <paul.tarjan@fb.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] consistency of token param name in bearer token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 18:04:27 -0000

I agree access_token is better.

John B.
On 2011-06-15, at 1:38 PM, Eran Hammer-Lahav wrote:

> It should be pretty easy :-)
> 
> Anyone objects to changing the parameter name from 'bearer_token' to 'access_token'? Let Mike know by 6/20 or he will make the change.
> 
> EHL
> 
> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Mike Jones
>> Sent: Wednesday, June 01, 2011 1:15 PM
>> To: David Recordon; George Fletcher
>> Cc: paul Tarjan; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] consistency of token param name in bearer token
>> type
>> 
>> If you can drive a consensus decision for the name "access_token", I'd be
>> glad to change the name in the spec.  I agree that the current names are
>> confusing for developers.
>> 
>> 				-- Mike
>> 
>> -----Original Message-----
>> From: David Recordon [mailto:recordond@gmail.com]
>> Sent: Wednesday, June 01, 2011 12:06 AM
>> To: George Fletcher
>> Cc: Mike Jones; Doug Tangren; oauth@ietf.org; paul Tarjan
>> Subject: Re: [OAUTH-WG] consistency of token param name in bearer token
>> type
>> 
>> Yeah, can understand how we got here. Just found it quite confusing when
>> reading these two specifications together with an implementor's hat on.
>> 
>> On Tue, May 31, 2011 at 12:29 PM, George Fletcher <gffletch@aol.com>
>> wrote:
>>> Brief pointer to the "history" of this change. This change was adopted
>>> in draft 4 of the bearer spec as there were concerns with the previous
>>> parameter name of 'oauth_token'. The suggestion was made to use
>>> 'bearer_token' so that it matches the scheme used in the Authorization
>>> header. The thinking being that reading the bearer token spec would
>>> seem weird if the Authorization header used one name and the GET/POST
>>> methods used a different name.
>>> 
>>> The 'bearer_token' name got a few +1 and no dissents.
>>> 
>>> Full thread starts here [1]. Mike accepting the 'bearer_token'
>>> recommendation is here [2].
>>> 
>>> Thanks,
>>> George
>>> 
>>> [1] http://www.ietf.org/mail-archive/web/oauth/current/msg05497.html
>>> [2] http://www.ietf.org/mail-archive/web/oauth/current/msg05881.html
>>> 
>>> On 5/28/11 12:30 PM, David Recordon wrote:
>>> 
>>> Did a full read through of draft 16 and the bear token spec with Paul
>>> yesterday afternoon in order to do a manual diff from draft 10. The
>>> point Doug raised was actually confusing. Throughout the core spec
>>> it's referred to as access_token but then becomes bearer_token upon
>>> use.
>>> 
>>> Just thinking through this from a developer documentation perspective,
>>> it's going to become confusing. Developer documentation focuses on
>>> getting an access token and then using that access token to interact
>>> with an API. Thus the code you're writing as a client developer will
>>> use variables, cache keys, and database columns named `access_token`.
>>> But then when you're going to use it, you'll need to put this access
>>> token into a field named bearer_token.
>>> 
>>> Feels quite a bit simpler to just name it access_token. Realize the
>>> core spec never did this since we didn't want to trample on protected
>>> resources which might already have a different type of access_token
>>> parameter. oauth_token was a good compromise since developers would
>>> already know that they were using OAuth and thus a new term wasn't
>>> being introduced. That's no longer true with bearer_token since 99% of
>>> developers will have never heard of a bearer token.
>>> 
>>> Googling for "bearer token" turns up Eran's blog post titled "OAuth
>>> Bearer Tokens are a Terrible Idea" and there isn't a single result on
>>> the first page which explains what they are. Binging for "bearer
>>> token" is equally scary.
>>> 
>>> --David
>>> 
>>> 
>>> On Mon, May 23, 2011 at 11:38 AM, Mike Jones
>>> <Michael.Jones@microsoft.com> wrote:
>>> 
>>> The working group explicitly decided that a different name should be
>>> used, to make it clear that other token types other than bearer tokens
>>> could also be used with OAuth 2.
>>> 
>>> 
>>> 
>>>                                                             -- Mike
>>> 
>>> 
>>> 
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>> Of Doug Tangren
>>> Sent: Wednesday, May 11, 2011 10:09 PM
>>> To: oauth@ietf.org
>>> Subject: [OAUTH-WG] consistency of token param name in bearer token
>>> type
>>> 
>>> 
>>> 
>>> This may have come up before so I'm sorry if I'm repeating. Why does
>>> bearer token spec introduce a new name for oauth2 access tokens [1],
>>> "bearer_token", and before that [2], "oauth_token"?
>>> 
>>> 
>>> 
>>> I apologize if this may sound shallow but, why introduce a new
>>> parameter name verses sticking with what the general oauth2 spec
>>> already defines, "access_token". It seems arbitrary for an auth server
>>> to hand a client an apple then have the client hand it off to the
>>> resource server and call it an orange.
>>> 
>>> 
>>> 
>>> Was this just for the sake of differentiating the parameter name
>>> enough so that the bearer tokens may be used in other protocols
>>> without being confused with oauth2 access_tokens?
>>> 
>>> 
>>> 
>>> [1]:
>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04#section-2.2
>>> 
>>> [2]:
>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-03#section-2.2
>>> 
>>> 
>>> 
>>> -Doug Tangren
>>> http://lessis.me
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> --
>>> Chief Architect                   AIM:  gffletch
>>> Identity Services Engineering     Work: george.fletcher@teamaol.com
>>> AOL Inc.                          Home: gffletch@aol.com
>>> Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
>>> Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch
>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email