Re: [OAUTH-WG] Mandatory-to-implement token type

Eran Hammer-Lahav <> Thu, 17 November 2011 18:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 04F8621F984C for <>; Thu, 17 Nov 2011 10:43:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.525
X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z85GemTcW5mx for <>; Thu, 17 Nov 2011 10:43:21 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 58CD221F984D for <>; Thu, 17 Nov 2011 10:43:21 -0800 (PST)
Received: (qmail 30001 invoked from network); 17 Nov 2011 18:39:09 -0000
Received: from unknown (HELO ( by with SMTP; 17 Nov 2011 18:39:09 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([]) with mapi; Thu, 17 Nov 2011 11:38:57 -0700
From: Eran Hammer-Lahav <>
To: Barry Leiba <>, oauth WG <>
Date: Thu, 17 Nov 2011 11:38:48 -0700
Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type
Thread-Index: AcylAu+35Pq9gSF/QaS3Z+DAS2FtgQATFAzg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EB64@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Nov 2011 18:43:22 -0000

> 1. Should we specify some token type as mandatory to implement?  Why or
> why not (*briefly*)?

On the server - no. It makes no sense because the server dictates the token type so if it decides to never issue the mandated type, what's the point in implementing?

On the client, maybe. If the server knows that a client will always understand a set of token types, it can choose to use that and ensure interop (or not). In practice, mandating will add no real interop value. Almost every client will hard-code the token types it needs to understand and providers are not likely to support more than one or to change it. We can mandate a type for 'generic clients' so that libraries support both, but it won't actually make any difference.

Bottom line, this is a red herring. OAuth doesn't really provide this level of interop and was never designed for that. In the future, when we have more interop web APIs (photos, social, etc.) and we have real world experience with discovery, this will be important. But that's a few years away (at least).
> 2. If we do specify one, which token type should it be?

This is a no win situation. Most providers will ignore a requirement to support MAC, or will support it but will not see much usage because most developers when given the choice will go with Bearer. Mandating Bearer will be ignored by providers who want better security and will most likely render MAC pointless. If we mandate Bearer, I see no point in even publishing MAC as it will turn into a purely theoretical exercise.

Given the history of this group, no change is the only likely consensus.