Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt
Onyx Raven <onyxraven@gmail.com> Wed, 11 March 2009 04:01 UTC
Return-Path: <onyxraven@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E8FBD3A68A8 for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 21:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.601
X-Spam-Level: *
X-Spam-Status: No, score=1.601 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_IS_IT_OUR_ACCOUNT=4.2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YA2lJV4NQKfz for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 21:01:39 -0700 (PDT)
Received: from mail-gx0-f167.google.com (mail-gx0-f167.google.com [209.85.217.167]) by core3.amsl.com (Postfix) with ESMTP id AD1553A681D for <oauth@ietf.org>; Tue, 10 Mar 2009 21:01:35 -0700 (PDT)
Received: by gxk11 with SMTP id 11so1698195gxk.13 for <oauth@ietf.org>; Tue, 10 Mar 2009 21:02:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=B1r9wIY+InapkEl8E0O2+RsUPbu3qA1U+6q7LjOaru4=; b=kQK+frkmLxOqkarNGrchW+uwWOlDUcDs8DRjFwypKdXyL/s1r6t00ru0v/dOLKCSuc nvZcW0EJ3U3BN+ihSQQq3QNC2lr8nmeNve2WMkmQWJy937BhHX8X3W+GPyd1u0Fgt86N McML/56IzXCPGI/GMZ8BUTy0F0xLEixYcosr8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=aQ5lTmAnYle8aAybGVx6U4FgJufzD2I43cRKQ5nlNtpOjCvOHkq581tqqp9HyusZ0i pMFHKcC3M0UGJryOZSqbN60C0mJfUFFU0MZoV8dxBQHS2Pv6aNEp1+F360bKxaR2mOUI bf9EUPQ+/68UYfQ6WpRoZLUczTlkjmmHb9Zr0=
MIME-Version: 1.0
Received: by 10.151.42.6 with SMTP id u6mr13101492ybj.231.1236744130947; Tue, 10 Mar 2009 21:02:10 -0700 (PDT)
In-Reply-To: <49B68DE1.5090504@aol.com>
References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <49B63954.5080105@cs.tcd.ie> <49B68DE1.5090504@aol.com>
Date: Tue, 10 Mar 2009 22:02:10 -0600
Message-ID: <c5eeec030903102102hdbbe273n42923b48ab131d47@mail.gmail.com>
From: Onyx Raven <onyxraven@gmail.com>
To: George Fletcher <gffletch@aol.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2009 04:01:41 -0000
I think I would rather see an exchange for a real access token as is in the spec. This way, the provider can easily change backends, and the consumer can cache the credentials without any directly-derived data. For consumers who for one reason or another just cannot do the web redirect dance, we at Photobucket have been doing a 'direct login' which exchanges username and hashed password for access token credentials, and it is only given for 'known' partners. We've been clear in our licensing of the method that user-agents nor consumers should cache the user inputs, but the access tokens instead. Mobile and device consumers are already using it. Its not basic/digest, its a specific REST POST, but its in the same spirit as the spec. IIRC, when I was first implementing OAuth SP a year ago, there were some example use cases where the Consumer/UserAgent could request the temporary token, and present it to the user to enter on a different channel. I am reminded that this is essentially the way Netflix device activation works. You get the activation key, and then on your PC, you login to your account on the provider and enter the key. That signs the request, and back on the device, it either waits for a button-press to attempt to proceed, or auto-checks the key to see if it's signed. The device can then complete the oauth access token procedure. This seems to be a convenient way of obtaining an access token, which is fully supported by the current OAuth Core spec if implemented properly. I know that's not the direct intention of the spec in the subject, but it is an alternative. Back to the spec in the subject - aside from the blow question about rfc2617 HTTP Basic (or even Digest), is the current oauth extension parameter format of using 'xoauth_' not used anymore? On Tue, Mar 10, 2009 at 9:57 AM, George Fletcher <gffletch@aol.com> wrote: > A few comments on this spec... > > Would a viable addition to this current specification be to allow the access > token to be constructed from the username and password? (e.g. access token > key == username, access token secret == password). > > This allows the password to not be sent in the clear over a > "mutally-authenticated transport layer". I realize that using the password > in this way requires the server to have a stored copy of the clear text > password, but it seems like allowing this mechanism could reduce the > requirement on the "mutally-authenticated transport layer". And may be > viable and preferred in some circumstances. > > Also, in OAuth each part of the flow has a defined endpoint. I didn't see > that defined in this spec. What about defining the extension to have a > specific endpoint 'client_auth' that can be discovered via XRDS? > > Thanks, > George > > Stephen Farrell wrote: >> >> Basic or Digest would, I think, represent the consumer >> authenticating as itself and could in fact be mixed with >> the consumer passing on the user's credentials in order >> to get an access token. (That was explicitly called out >> in -00 but removed here since we bumped the security >> level somewhat. Could add it back though.) >> >> So, at least for the aggregator use case, I think these >> are a) semantically different and b) might even be used >> at the same time and so shouldn't be mixed. >> >> I could imagine however an option for a user agent to >> use Basic or Digest in an exchange that'd result in >> acquisition of an access token. (Which is I guess what >> your blog post below is about.) But since that'd require >> a change to the browser to be generally useful we didn't >> go there. I'd have to think about whether that'd work >> for mobile use cases, but I suspect that the requirement >> for two round-trips'd work against it there. >> >> S. >> >> Eran Hammer-Lahav wrote: >> >>> >>> Here's a silly question, why not just use HTTP Basic or Digest auth to >>> accomplish the same thing? Ask for a token using the actual resource owner's >>> server credentials (username and password) and, well, get one. >>> >>> Am I missing something? >>> >>> More ideas in >>> http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth-web-redirection-flow.html >>> >>> EHL >>> >>> -----Original Message----- >>> From: i-d-announce-bounces@ietf.org >>> [mailto:i-d-announce-bounces@ietf.org] On Behalf Of Internet-Drafts@ietf.org >>> Sent: Monday, March 09, 2009 12:00 PM >>> To: i-d-announce@ietf.org >>> Subject: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt >>> A New Internet-Draft is available from the on-line Internet-Drafts >>> directories. >>> >>> Title : OAuth Access Tokens using credentials >>> Author(s) : B. hOra, S. Farrell >>> Filename : draft-dehora-farrell-oauth-accesstoken-creds-01.txt >>> Pages : 13 >>> Date : 2009-03-09 >>> >>> OAuth Access Tokens using credentials is a technique for allowing user >>> agents to obtain an OAuth access token on behalf of a user without requiring >>> user intervention or HTTP redirection to a browser. >>> OAuth itself is documented in the OAuth Core 1.0 Specification.Editorial >>> Note >>> >>> To provide feedback on this Internet-Draft, email the authors. >>> >>> A URL for this Internet-Draft is: >>> >>> http://www.ietf.org/internet-drafts/draft-dehora-farrell-oauth-accesstoken-creds-01.txt >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> Below is the data which will enable a MIME compliant mail reader >>> implementation to automatically retrieve the ASCII version of the >>> Internet-Draft. >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> oauth mailing list >>> oauth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> oauth mailing list >> oauth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [oauth] FW: I-D Action:draft-dehora-farrell-oauth… Eran Hammer-Lahav
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Stephen Farrell
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… George Fletcher
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Onyx Raven
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Justin Hart
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Eran Hammer-Lahav