Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 10 March 2009 09:56 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52B463A6901 for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 02:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.293
X-Spam-Level:
X-Spam-Status: No, score=-0.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yyl2oMGur4ng for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 02:56:05 -0700 (PDT)
Received: from mail.newbay.com (87-198-172-198.ptr.magnet.ie [87.198.172.198]) by core3.amsl.com (Postfix) with ESMTP id 0FB243A687F for <oauth@ietf.org>; Tue, 10 Mar 2009 02:56:04 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.newbay.com (Postfix) with ESMTP id 5F911100415D0; Tue, 10 Mar 2009 09:56:38 +0000 (GMT)
X-Virus-Scanned: amavisd-new at newbay.com
Received: from mail.newbay.com ([127.0.0.1]) by localhost (mail.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k2KgoO2JbkKN; Tue, 10 Mar 2009 09:56:14 +0000 (GMT)
Received: from [192.168.3.55] (unknown [192.168.3.55]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.newbay.com (Postfix) with ESMTP id D44D410041603; Tue, 10 Mar 2009 09:56:14 +0000 (GMT)
Message-ID: <49B63954.5080105@cs.tcd.ie>
Date: Tue, 10 Mar 2009 09:56:36 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.16 (X11/20080707)
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2009 09:56:06 -0000
Basic or Digest would, I think, represent the consumer authenticating as itself and could in fact be mixed with the consumer passing on the user's credentials in order to get an access token. (That was explicitly called out in -00 but removed here since we bumped the security level somewhat. Could add it back though.) So, at least for the aggregator use case, I think these are a) semantically different and b) might even be used at the same time and so shouldn't be mixed. I could imagine however an option for a user agent to use Basic or Digest in an exchange that'd result in acquisition of an access token. (Which is I guess what your blog post below is about.) But since that'd require a change to the browser to be generally useful we didn't go there. I'd have to think about whether that'd work for mobile use cases, but I suspect that the requirement for two round-trips'd work against it there. S. Eran Hammer-Lahav wrote: > Here's a silly question, why not just use HTTP Basic or Digest auth to accomplish the same thing? Ask for a token using the actual resource owner's server credentials (username and password) and, well, get one. > > Am I missing something? > > More ideas in http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth-web-redirection-flow.html > > EHL > > -----Original Message----- > From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] On Behalf Of Internet-Drafts@ietf.org > Sent: Monday, March 09, 2009 12:00 PM > To: i-d-announce@ietf.org > Subject: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > Title : OAuth Access Tokens using credentials > Author(s) : B. hOra, S. Farrell > Filename : draft-dehora-farrell-oauth-accesstoken-creds-01.txt > Pages : 13 > Date : 2009-03-09 > > OAuth Access Tokens using credentials is a technique for allowing user agents to obtain an OAuth access token on behalf of a user without requiring user intervention or HTTP redirection to a browser. > OAuth itself is documented in the OAuth Core 1.0 Specification.Editorial Note > > To provide feedback on this Internet-Draft, email the authors. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-dehora-farrell-oauth-accesstoken-creds-01.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. > > > ------------------------------------------------------------------------ > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [oauth] FW: I-D Action:draft-dehora-farrell-oauth… Eran Hammer-Lahav
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Stephen Farrell
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… George Fletcher
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Onyx Raven
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Justin Hart
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Eran Hammer-Lahav