[OAUTH-WG] Facebook, OAuth, and WRAP

David Recordon <davidrecordon@facebook.com> Tue, 24 November 2009 18:57 UTC

Return-Path: <davidrecordon@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id EF5903A6816 for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 10:57:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.965
X-Spam-Status: No, score=-5.965 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4, SARE_WEOFFER=0.3]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id jBM5yrdVgmXz for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 10:57:43 -0800 (PST)
Received: from mailout-sf2p.facebook.com (mailout-snc1.facebook.com []) by core3.amsl.com (Postfix) with ESMTP id 03C713A688E for <oauth@ietf.org>; Tue, 24 Nov 2009 10:57:42 -0800 (PST)
Received: from mail.thefacebook.com (intlb01.snat.snc1.facebook.com [] (may be forged)) by pp02.snc1.tfbnw.net (8.14.1/8.14.1) with ESMTP id nAOIvHOH020307 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Tue, 24 Nov 2009 10:57:17 -0800
Received: from SC-MBXC1.TheFacebook.com ([]) by sc-hub02.TheFacebook.com ([]) with mapi; Tue, 24 Nov 2009 10:57:36 -0800
From: David Recordon <davidrecordon@facebook.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 24 Nov 2009 10:57:33 -0800
Thread-Topic: Facebook, OAuth, and WRAP
Thread-Index: AcptN/sGLUJPJF8VTBWs8YsEibJh6w==
Message-ID: <148C596691F29F4EA6968577BE2CDFAE06A1B9FE@SC-MBXC1.TheFacebook.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2009-11-24_09:2009-11-16, 2009-11-24, 2009-11-24 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-0908210000 definitions=main-0911240180
Cc: Naitik Shah <naitik@facebook.com>, Brent Goldman <brent@facebook.com>, Luke Shepard <lshepard@facebook.com>
Subject: [OAUTH-WG] Facebook, OAuth, and WRAP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 18:58:17 -0000

Hey all,
This was originally a comment on Eran's post about WRAP (http://hueniverse.com/2009/11/wrap-and-the-demise-of-the-oauth-community/).  Beyond Luke and I talking at the Internet Identity Workshop a few weeks ago, I don't think we've actually articulated where Facebook is thinking in regards to OAuth.  In order to help get OAuth 2.0 done, I wanted to make sure we've shared where we see OAuth 1.0 falling short, why we're interested in WRAP, and the four main use cases our current proprietary authentication mechanism solves.  We've also signed Open Web Foundation agreements for OAuth Core 1.0a and the WRAP specs (http://developers.facebook.com/news.php?blog=1&story=335).

The largest issue in Facebook moving to OAuth 1.0 (and yes, Eran's new RFC is awesome) is the increase in the number of HTTP requests that developers will need to make in comparison to our current authentication mechanism.  We want to move to using OAuth, but for this reason and hearing strongly from other major implementors that OAuth has not been widely adopted by their developer communities because it is too difficult to correctly implement has us concerned.

The most interesting part of WRAP are the various profiles.  They currently map well to our existing authentication mechanisms and the username/password profile is an API we offer to whitelisted partners such as the XBox and Playstation 3.  It would be great if OAuth 2.0 had a similar profile mechanism where each profile is optimized in terms of the number of steps (HTTP requests) required versus being combined together like OAuth 1.0.

I'm not convinced that signatures are "too hard" for developers especially when libraries hide them away.  That said, OAuth 1.0 implementations still requires that developers understand the different types of tokens in addition to when and how they're generated.

WRAP is intriguing in terms of really simplifying what developers need to understand.  The first step being trading some set of credentials or asking the user to go somewhere results in an access token.  The second step then being including that access token via HTTP headers, a GET arg, or a POST arg over SSL without needing to calculate any sort of signatures.  The downside is that now all APIs need to be served over SSL, but that seems doable.

These are the four main use cases which were focused on.  While there is quite a bit of overlap between them, we think that it is important to have specifically optimized flows for each so that individually they are as simple as possible to implement.

1) "OAuth" web flow of redirecting a user to Facebook, them authorizing pre-registered application, and then being redirected back to the web app within their browser.
2) A mobile/desktop flow where the user is redirected back to Facebook, authorizes the app, and then is sent back to the application.  We both have a version of this use case where the application separately opens a browser and one where the application is able to embed a browser directly.
3) A mobile/desktop/device flow where the user enters their Facebook username/password which the application then trades for a token.  This is for whitelisted partners.
4) A fully JavaScript environment where the JavaScript sets a cookie containing the credentials needed for the web application to get API access while the user has an active session.

We think that WRAP currently solves #3, probably solves #2, and mostly solves #1.  #4 hasn't been tackled within WRAP yet, but we hope to develop a profile for it as well.

I'm happy to participate in the IETF to help develop OAuth 2.0 and to encourage others from Facebook to do the same, but also want to be really pragmatic around having something we can ship (either WRAP or 2.0) sooner rather than later.