Re: [OAUTH-WG] consistency of token param name in bearer token type
Bill <bill@dehora.net> Tue, 14 June 2011 15:12 UTC
Return-Path: <bill@dehora.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D084E11E80AD for <oauth@ietfa.amsl.com>; Tue, 14 Jun 2011 08:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AIIeV4375udA for <oauth@ietfa.amsl.com>; Tue, 14 Jun 2011 08:12:24 -0700 (PDT)
Received: from chilco.textdrive.com (mail.indigozen.co.uk [207.7.108.242]) by ietfa.amsl.com (Postfix) with ESMTP id DEDCF11E80C7 for <oauth@ietf.org>; Tue, 14 Jun 2011 08:12:21 -0700 (PDT)
Received: from [192.168.3.18] (87-198-172-217.static.ptr.magnet.ie [87.198.172.217]) by chilco.textdrive.com (Postfix) with ESMTP id 8EE08DF8A4 for <oauth@ietf.org>; Tue, 14 Jun 2011 15:12:20 +0000 (UTC)
Message-ID: <4DF77A50.8080403@dehora.net>
Date: Tue, 14 Jun 2011 16:12:16 +0100
From: Bill <bill@dehora.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: oauth@ietf.org
References: <BANLkTim1VRggQ8W-7WHVcXboOaPr-RcN_A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943380F6A46@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTimQkzW7r-GV7cu67W4Doo7q9JZLnw@mail.gmail.com> <4DE541B5.6080605@aol.com> <BANLkTikMp-=EO9jwdyGFm8=COr_MsSEjbw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739433810E906@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTim9Rr3eCM=aLoub+NfPX4QQ6=F3vw@mail.gmail.com> <BANLkTikmLCe5Ztsu3qrw_TasmyN5Gya47Q@mail.gmail.com> <4DF206E7.3040401@aol.com> <90662920-6576-4DA7-B6B6-80C83FDB1E15@jkemp.net> <4DF21800.9090302@aol.com> <133A769C-7B4F-4C36-BDCC-E1D4CAB8D256@jkemp.net> <BANLkTinjOkG+G56sN0qdOvRr6v5NboK=hA@mail.gmail.com>
In-Reply-To: <BANLkTinjOkG+G56sN0qdOvRr6v5NboK=hA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] consistency of token param name in bearer token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2011 15:12:25 -0000
On 10/06/11 17:45, David Recordon wrote: > I think it's vital to have the GET and POST parameters make sense to > every developer. I worry less about the authorization header since a > developer implementing it will honestly be a stronger engineer. I agree with David regardless of engineering strength, this is going to be confusing to developers. Also tho', devs are exposed to the access token response, not just the GET/POST bits. So ideally syntax would line up with how the token is obtained http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-5.1 and not just across requests using the token. A possible clarifying change is to use something like "bearer_token" end to end. [[[ { "access_token":"vF9dft4qmT", "token_type":"bearer_token", /* ? */ ... } GET /resource HTTP/1.1 Host: server.example.com Authorization: bearer_token vF9dft4qmT GET /resource?bearer_token=vF9dft4qmT&... Host: server.example.com POST /resource Host: server.example.com Content-Type: application/x-www-form-urlencoded &bearer_token=vF9dft4qmT&... HTTP/1.1 401 Unauthorized WWW-Authenticate: bearer_token realm="example" ]]] Bill > Here's what I said earlier in the thread about my motivation: >> Did a full read through of draft 16 and the bear token spec with Paul >> yesterday afternoon in order to do a manual diff from draft 10. The >> point Doug raised was actually confusing. Throughout the core spec >> it's referred to as access_token but then becomes bearer_token upon >> use. >> >> Just thinking through this from a developer documentation perspective, >> it's going to become confusing. Developer documentation focuses on >> getting an access token and then using that access token to interact >> with an API. Thus the code you're writing as a client developer will >> use variables, cache keys, and database columns named `access_token`. >> But then when you're going to use it, you'll need to put this access >> token into a field named bearer_token. >> >> Feels quite a bit simpler to just name it access_token. Realize the >> core spec never did this since we didn't want to trample on protected >> resources which might already have a different type of access_token >> parameter. oauth_token was a good compromise since developers would >> already know that they were using OAuth and thus a new term wasn't >> being introduced. That's no longer true with bearer_token since 99% of >> developers will have never heard of a bearer token. >> >> Googling for "bearer token" turns up Eran's blog post titled "OAuth >> Bearer Tokens are a Terrible Idea" and there isn't a single result on >> the first page which explains what they are. Binging for "bearer >> token" is equally scary. > > --David > > > On Fri, Jun 10, 2011 at 9:34 AM, John Kemp<john@jkemp.net> wrote: >> George, >> >> On Jun 10, 2011, at 4:11 PM, George Fletcher wrote: >> >>> I definitely don't want to change the Authorization header naming scheme. I believe it should stay 'Bearer' because that's what the token is. We could make it... >>> >>> Authorization: Bearer access_token=vF9dft4qmT >>> >>> If that helps with consistency. >> >> Well, it might seem more consistent, but I'm not sure it's worthwhile to make the change just for that reason. >> >> Is it possible that the Bearer HTTP mechanism would ever take multiple parameters? In which case, having the ability to name the parameters of the Bearer mechanism might become more interesting. >> >> - John >> >>> I don't think we should be associating the term 'access_token' with the bearer security mechanism. >>> >>> Thanks, >>> George >>> >>> On 6/10/11 8:35 AM, John Kemp wrote: >>>> What does this mean for the HTTP Authorization header naming scheme for bearer tokens? >>>> >>>> As I understand this decision, we are discussing whether to standardize on the name "access_token" when a bearer token is sent as either a URL query parameter, or in a form POSTed body? >>>> >>>> Currently the HTTP Authorization header looks like this (from >>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-05 >>>> ): >>>> >>>> GET /resource HTTP/1.1 >>>> Host: server.example.com >>>> Authorization: Bearer vF9dft4qmT >>>> >>>> Is the proposal then that we have: >>>> >>>> 1. GET /resource?access_token=vF9dft4qmT >>>> 2. POST /resource >>>> >>>> access_token=vF9dft4qmT&... >>>> >>>> 3. >>>> >>>> GET /resource HTTP/1.1 >>>> Host: server.example.com >>>> Authorization: access_token vF9dft4qmT >>>> >>>> Can someone actually give the details of the proposal, or agree/disagree with the examples above? >>>> >>>> - John >>>> >>>> On Jun 10, 2011, at 2:58 PM, George Fletcher wrote: >>>> >>>> >>>>> Yes, that's fine with me. >>>>> >>>>> Thanks, >>>>> George >>>>> >>>>> On 6/10/11 4:20 AM, David Recordon wrote: >>>>> >>>>>> George, Doug and Eran are you alright with the Bearer token spec using >>>>>> the parameter name "access_token" as well? >>>>>> >>>>>> >>>>>> On Wed, Jun 8, 2011 at 4:50 PM, Marius Scurtescu >>>>>> >>>>>> <mscurtescu@google.com> >>>>>> >>>>>> wrote: >>>>>> >>>>>> >>>>>>> On Wed, Jun 1, 2011 at 1:14 PM, Mike Jones<Michael.Jones@microsoft.com> >>>>>>> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>>> If you can drive a consensus decision for the name "access_token", I'd be glad to change the name in the spec. I agree that the current names are confusing for developers. >>>>>>>> >>>>>>>> >>>>>>> At Google we are getting the same feedback, that it is confusing for >>>>>>> developers. It would definitely help if we could change the name to >>>>>>> "access_token". >>>>>>> >>>>>>> Marius >>>>>>> >>>>>>> >>>>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] consistency of token param name in bea… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Stephen Farrell
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… John Bradley
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… Lodderstedt, Torsten
- Re: [OAUTH-WG] consistency of token param name in… KIHARA, Boku
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Torsten Lodderstedt
- Re: [OAUTH-WG] consistency of token param name in… Manger, James H