Re: [OAUTH-WG] 2 Leg with OAuth 2.0

Brian Hawkins <brian@lingotek.com> Tue, 29 November 2011 20:28 UTC

Return-Path: <brian@lingotek.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90FB41F0CD3 for <oauth@ietfa.amsl.com>; Tue, 29 Nov 2011 12:28:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cM9XCapuwBPK for <oauth@ietfa.amsl.com>; Tue, 29 Nov 2011 12:28:11 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 555021F0CC5 for <oauth@ietf.org>; Tue, 29 Nov 2011 12:28:11 -0800 (PST)
Received: by bkbzv15 with SMTP id zv15so11555087bkb.31 for <oauth@ietf.org>; Tue, 29 Nov 2011 12:28:10 -0800 (PST)
Received: by 10.204.14.208 with SMTP id h16mr50669263bka.2.1322598490210; Tue, 29 Nov 2011 12:28:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.204.187.71 with HTTP; Tue, 29 Nov 2011 12:27:49 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAK04b078ohKScZWEd-fJpiO73GFP-fOd+Lu8su-_nZs_KrKgbg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Brian Hawkins <brian@lingotek.com>
Date: Tue, 29 Nov 2011 13:27:49 -0700
Message-ID: <CAK04b06gNf5Qe3ndagzCM6C36v52p2NGCteD=AdMktSoCDgawA@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=00032555606230819004b2e575ae
Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2011 20:28:12 -0000

Maybe I'm making this harder then it should be.

Here is the situation:  Site A and B both trust each other.  Site A needs
to update user information at site B.

With OAuth 1.0 Site A would use it's consumer key and secret to sign the
update call to Site B (no access token involved).  Only one message is sent.

The closest I can come to the above with OAuth 2.0 is to use the MAC token
scheme and sign the request with the consumer secret.  Is that valid?  I
kind of get the idea that the protocol doesn't care.

It feels like the bearer scheme just doesn't work for what I'm trying to do.

Thanks

Brian

On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote;wrote:

> This functionality can be implemented in two main ways:****
>
> ** **
>
> **1.       **Using the client credentials flow to get an access token,
> then using the protocol as usual****
>
> **2.       **Just using the Bearer (over SSL) or MAC token schemes
> without the rest of OAuth****
>
> ** **
>
> EHL****
>
> ** **
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Brian Hawkins
> *Sent:* Tuesday, November 29, 2011 11:49 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] 2 Leg with OAuth 2.0****
>
> ** **
>
> I'm having trouble finding information on how to do 2leg authentication
> with OAuth 2.0.  Does it even support it?****
>
> ** **
>
> Thanks****
>
> Brian****
>