IETF Logo Mail Archive

Re: [OAUTH-WG] Facebook access_token vs OAuth 2.0 spec oauth_token inconsistency

Paul Lindner <lindner@inuus.com> Thu, 29 April 2010 18:19 UTC

Return-Path: <lindner@inuus.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E37128C253 for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 11:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4yIi-Gi2EpY for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 11:19:16 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id 760533A69A9 for <oauth@ietf.org>; Thu, 29 Apr 2010 11:18:58 -0700 (PDT)
Received: by pwj2 with SMTP id 2so11308067pwj.31 for <oauth@ietf.org>; Thu, 29 Apr 2010 11:18:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.107.3 with SMTP id j3mr9811884rvm.283.1272564804728; Thu, 29 Apr 2010 11:13:24 -0700 (PDT)
Received: by 10.140.199.12 with HTTP; Thu, 29 Apr 2010 11:13:23 -0700 (PDT)
In-Reply-To: <k2tce1325031004290824w4cb24792n8c048832cc649821@mail.gmail.com>
References: <k2tce1325031004290824w4cb24792n8c048832cc649821@mail.gmail.com>
Date: Thu, 29 Apr 2010 11:13:23 -0700
Message-ID: <h2ub71cdca91004291113geec3b3a9l8c43fdf49f7e6d2c@mail.gmail.com>
From: Paul Lindner <lindner@inuus.com>
To: Pelle Braendgaard <pelle@stakeventures.com>
Content-Type: multipart/alternative; boundary="000e0cd137be23b6240485641558"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Facebook access_token vs OAuth 2.0 spec oauth_token inconsistency
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2010 18:19:17 -0000

I'm also not happy that they are allowing bearer-token access to these
resources via non-SSL requests.   I'd hate to see such an insecure practice
gain traction before the protocol is even out the door.  (You just know that
people will implement things "like facebook")


On Thu, Apr 29, 2010 at 8:24 AM, Pelle Braendgaard
<pelle@stakeventures.com>wrote:

> Just working on adding OAuth 2.0 support to the Ruby OAuth Plugin and
> I noticed that the facebook documentations says to use the
> access_token parameter like this:
>
>  https://graph.facebook.com/me?access_token=...
> (http://developers.facebook.com/docs/authentication/)
>
> But in the specs it specifies that it should use the oauth_token
> parameter http://tools.ietf.org/html/draft-hammer-oauth2-00#section-5.2.1
> :
>
>  When including the access token in the HTTP request URI, the client
>   adds the access token to the request URI query component as defined
>   by [RFC3986] using the "oauth_token" parameter.
>
>  For example, the client makes the following HTTPS request:
>
>
>     GET /resource?oauth_token=vF9dft4qmT HTTP/1.1
>     Host: server.example.com
>
> Does anyone know what the deal is. Will Facebook also support
> oauth_token or will we have to support both types?
>
> P
>
> --
> http://agree2.com - Reach Agreement!
> http://extraeagle.com - Solutions for the electronic Extra Legal world
> http://stakeventures.com - Bootstrapping blog
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email