IETF Logo Mail Archive

Re: [OAUTH-WG] Alternative Upgrade Flow

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 17 July 2010 12:30 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 707A53A6403 for <oauth@core3.amsl.com>; Sat, 17 Jul 2010 05:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.137
X-Spam-Level:
X-Spam-Status: No, score=-2.137 tagged_above=-999 required=5 tests=[AWL=0.112, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7N92AwgKOdU for <oauth@core3.amsl.com>; Sat, 17 Jul 2010 05:30:53 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.37]) by core3.amsl.com (Postfix) with ESMTP id 96AB13A698D for <oauth@ietf.org>; Sat, 17 Jul 2010 05:30:51 -0700 (PDT)
Received: from p4ffd12f0.dip.t-dialin.net ([79.253.18.240] helo=[127.0.0.1]) by smtprelay03.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1Oa6Xm-0003Sl-Ij; Sat, 17 Jul 2010 14:31:02 +0200
Message-ID: <4C41A281.7080809@lodderstedt.net>
Date: Sat, 17 Jul 2010 14:30:57 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>
References: <1279298904.11628.74.camel@localhost.localdomain>
In-Reply-To: <1279298904.11628.74.camel@localhost.localdomain>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Alternative Upgrade Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2010 12:30:55 -0000

I think we gonna need additional end points anyway, e.g. for token 
revocation. So why not use another endpoint for that purpose? That way 
the tokens endpoint is not overloaded to much.

regards,
Torsten.

Am 16.07.2010 18:48, schrieb Justin Richer:
> The current proposal for a 1.0->2.0 upgrade flow is to use the assertion
> profile and pass the OAuth token in there. Instead, one could create an
> endpoint that speaks the 1.0 protocol fully, signatures and client
> secrets and everything, but issues 2.0 tokens, JSON and all. It's a
> hybridized endpoint also, but put together with the opposite pieces. In
> both cases, you put a 1.0 token in one end and get a 2.0 token out the
> other. But in this case, the request being made is a completely vanilla
> OAuth 1.0 protected resource access request.
>
> Does this really need a separate endpoint, or can we extend the
> grant_type options to include "oath1.0" in an extension? I know that
> extensions aren't currently allowed to make new grant_types -- I think
> they should be able to and and proposing that we allow that extension
> point. I dislike the reasoning of "just cram it all into an assertion to
> extend", since it doesn't allow for clients to separate out their
> parameters easily.
>
>   -- Justin
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.35.0 | Report a Bug | By Email | System Status