IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header

Eran Hammer-Lahav <eran@hueniverse.com> Thu, 15 July 2010 18:40 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 221243A6A9D for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.472
X-Spam-Level:
X-Spam-Status: No, score=-2.472 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mx2IbCrYgMWh for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:40:49 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id E07383A6A82 for <oauth@ietf.org>; Thu, 15 Jul 2010 11:39:24 -0700 (PDT)
Received: (qmail 31628 invoked from network); 15 Jul 2010 18:39:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 15 Jul 2010 18:39:27 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Thu, 15 Jul 2010 11:39:23 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: John Kemp <john@jkemp.net>
Date: Thu, 15 Jul 2010 11:39:15 -0700
Thread-Topic: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
Thread-Index: AcskTQuPQEcTB0yXR/m52up+YUcDkQ==
Message-ID: <23375931-39B5-4267-925D-5AD5698AAF15@hueniverse.com>
References: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com> <F747E8F8-D022-46F7-BBCE-4219BF3B27B0@hueniverse.com> <02D7ABE3-5B51-43B6-B7A2-6CB9AA045AAA@jkemp.net>
In-Reply-To: <02D7ABE3-5B51-43B6-B7A2-6CB9AA045AAA@jkemp.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 18:40:51 -0000

There is no such thing. Since there is no discovery for 1.0, all calls are hardcoded into the client today. There is no 'trying things out'. 

EHL



On Jul 15, 2010, at 14:33, "John Kemp" <john@jkemp.net> wrote:

> On Jul 15, 2010, at 9:07 AM, Eran Hammer-Lahav wrote:
> 
>> I would like people to raise their hand and explain how this will break actual 1.0 deployments. 
> 
> What happens if a 1.0 client receives a WWW-Authenticate header from a 2.0 protected resource with the 'OAuth' mechanism specified? Might it then attempt OAuth 1 with a 2.0 token service (and thus just fail without being able to know what went wrong)? 
> 
> - johnk
> 
>> 
>> EHL
>> 
>> 
>> 
>> On Jul 15, 2010, at 1:38, Brian Eaton <beaton@google.com> wrote:
>> 
>>> Draft 10 switched from "Token" scheme in the authorization header to
>>> "OAuth".  I'd rather we didn't reuse OAuth.  'OAuth2' would be great.
>>> "Token" is ugly as sin, but is better than "OAuth".
>>> 
>>> Spec section: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#page-30
>>> 
>>> The problem with reusing "OAuth" is that there are existing
>>> implementations in the wild that have special behavior implemented for
>>> OAuth authorization headers.  Since OAuth2 headers don't have the same
>>> semantics, we're going to break those implementations.  We shouldn't
>>> reuse "OAuth" for the same reasons we shouldn't reuse "Negotiate",
>>> "NTLM", "Digest", or "Basic.
>>> 
>>> Cheers,
>>> Brian
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.39.1 | Report a Bug | By Email | System Status