IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header

Justin Richer <jricher@mitre.org> Thu, 15 July 2010 14:59 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 996AA3A688A for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 07:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.465
X-Spam-Level:
X-Spam-Status: No, score=-6.465 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxYauC2tGYYG for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 07:59:20 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id B2F5A3A682A for <oauth@ietf.org>; Thu, 15 Jul 2010 07:59:20 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o6FExUWf004294 for <oauth@ietf.org>; Thu, 15 Jul 2010 10:59:31 -0400
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o6FExUu3004289; Thu, 15 Jul 2010 10:59:30 -0400
Received: from [129.83.50.65] (129.83.50.65) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server id 8.2.254.0; Thu, 15 Jul 2010 10:59:30 -0400
From: Justin Richer <jricher@mitre.org>
To: Brian Eaton <beaton@google.com>
In-Reply-To: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com>
References: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 15 Jul 2010 10:59:29 -0400
Message-ID: <1279205969.18579.55.camel@localhost.localdomain>
MIME-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 14:59:21 -0000

+1 on OAuth2 header, and I also want to see oauth2_token in URI and form
parameter methods.

1.0 clients will talk to systems that support both oauth2 and oauth1
simultaneously. Most likely on the same PR endpoints as well. Since the
protocols are not backwards compatible, they should be able to coexist. 

 -- Justin

On Thu, 2010-07-15 at 01:38 -0400, Brian Eaton wrote:
> Draft 10 switched from "Token" scheme in the authorization header to
> "OAuth".  I'd rather we didn't reuse OAuth.  'OAuth2' would be great.
> "Token" is ugly as sin, but is better than "OAuth".
> 
> Spec section: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#page-30
> 
> The problem with reusing "OAuth" is that there are existing
> implementations in the wild that have special behavior implemented for
> OAuth authorization headers.  Since OAuth2 headers don't have the same
> semantics, we're going to break those implementations.  We shouldn't
> reuse "OAuth" for the same reasons we shouldn't reuse "Negotiate",
> "NTLM", "Digest", or "Basic.
> 
> Cheers,
> Brian
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.38.3 | Report a Bug | By Email | System Status