Re: [OAUTH-WG] OAuth WRAP

[Eran Hammer-Lahav <eran@hueniverse.com>]

My 2c:

WRAP was developed out of necessity due to limitations in OAuth and product release schedule. Without going into too much detail about whether a whole new protocol was really necessary, the WRAP authors felt that it was, and that their timeline could not accommodate waiting for the OAUTH WG to accommodate their use cases in the new version of the spec. We now have a new and separate spec in the space.

I have encouraged the authors to submit their spec as input for the WG and to collaborate to make the upcoming WG spec cover their use case. The goal would be to render the separate WRAP spec unnecessary. How they or others would choose to apply this to their implementation is beyond my control or (TBH) interest.

Most of the innovative ideas in WRAP are around the delegation flow (and there are some good ideas in there). I plan to use some of that as the basis for the new delegation spec. On the authentication side, WRAP uses bearer token with no crypto which will be supported by the PLAIN flavor.

As for how to manage community expectations, the OAuth brand, etc.: I was opposed to putting WRAP under the OAuth brand (the entire effort started as "Simple OAuth"). Others felt that pretending WRAP was an OAuth profile (it is not) and naming it as such would be less confusing or less damaging to the OAuth brand (if you call it the same thing, there is no competition). I didn't care enough to (continue) that argument given my view that by the time WRAP will get the wide attention OAuth has, this WG will produce stable drafts of the new OAuth and will make this irrelevant.

EHL




On 11/10/09 11:56 AM, "Paul C. Bryan" <email@pbryan.net> wrote:

I guess I must admit I'm a bit surprised that the general consensus
would be to merge with/profile WRAP as OAuth, as the deltas between the
two protocols as defined seems quite substantial. Does this mean that
for all intents and purposes I should consider the existing OAuth IETF
drafts to date to be deprecated in favour of WRAP?

Paul

On Tue, 2009-11-10 at 19:46 +0000, Dick Hardt wrote:
> Good question. Given the positive reception WRAP received at IIW and
> that capabilities in WRAP are expected to come out of the work in the
> IETF OAuth WG, there was consensus from the OAuth community to include
> WRAP as OAuth profiles.
>
> -- Dick
>
> On 2009-11-10, at 10:06 AM, "Paul C. Bryan" <email@pbryan.net> wrote:
>
> > Hi Dick:
> >
> > Given that WRAP is so different from OAuth (as I know it), other than
> > the fact that OAuth could be used to negotiate the issuance of a WRAP
> > refresh token, I'm curious why you chose to associate this with
> > OAuth by
> > giving it an "OAuth" prefix. It seems to me that it would only create
> > confusion in this space.
> >
> > Paul
> >
> > On Tue, 2009-11-10 at 17:52 +0000, Dick Hardt wrote:
> >> At IIW last week, myself, Biran Eaton from Google and Allen Tom from
> >> Yahoo! presented what is now called OAuth WRAP
> >>
> >> The specs and discussion specific to those documents is at:
> >>
> >>    http://groups.google.com/group/oauth-wrap-wg
> >>
> >> We plan to submit the document as an I-D next week when I-D
> >> submission
> >> is open again, and for further work to occur in the IETF OAuth WG.
> >>
> >> -- Dick
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth