Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
Luke Shepard <lshepard@facebook.com> Sat, 17 April 2010 14:34 UTC
Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A26CD3A6A1E for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 07:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.05
X-Spam-Level:
X-Spam-Status: No, score=-3.05 tagged_above=-999 required=5 tests=[AWL=0.214, BAYES_00=-2.599, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqE8R04TugzT for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 07:34:00 -0700 (PDT)
Received: from mailout-sf2p.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id B40093A6B1D for <oauth@ietf.org>; Sat, 17 Apr 2010 07:33:39 -0700 (PDT)
Received: from mail.thefacebook.com ([192.168.18.198]) by pp02.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o3HEWoaW002187 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 17 Apr 2010 07:32:53 -0700
Received: from sc-hub02.TheFacebook.com (192.168.18.105) by sc-hub03.TheFacebook.com (192.168.18.198) with Microsoft SMTP Server (TLS) id 14.0.689.0; Sat, 17 Apr 2010 07:32:11 -0700
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub02.TheFacebook.com ([192.168.18.105]) with mapi; Sat, 17 Apr 2010 07:32:11 -0700
From: Luke Shepard <lshepard@facebook.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, Eran Hammer-Lahav <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
Date: Sat, 17 Apr 2010 07:32:05 -0700
Thread-Topic: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
Thread-Index: AcrdCitsLp+WWglvQMKPMWBhihZtKQAezmZQABLw0xAAAiYJ4AAC9C3QABU3F+A=
Message-ID: <2513A610118CC14C8E622C376C8DEC93D54D66DDB9@SC-MBXC1.TheFacebook.com>
References: <255B9BB34FB7D647A506DC292726F6E11257592315@WSMSG3153V.srv.dir.telstra.com> <C7EE71B8.32459%eran@hueniverse.com> <255B9BB34FB7D647A506DC292726F6E11257592327@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11257592327@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_2513A610118CC14C8E622C376C8DEC93D54D66DDB9SCMBXC1TheFac_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-04-16_07:2010-02-06, 2010-04-16, 2010-04-16 signatures=0
Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Apr 2010 14:34:01 -0000
If, for your service, you want to use different means of authenticating clients, I see no reason why you can’t. Just ignore client_secret and do it your own way (it’s optional). From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Manger, James H Sent: Friday, April 16, 2010 9:52 PM To: Eran Hammer-Lahav; OAuth WG Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints > This has nothing to do with it. There is no PUT and DELETE or POST with non-form body when *requesting a token*. It is relevant. I don’t want to authenticate direct client requests *only* when they *request a token*. Clients might make any variety of direct requests unrelated to OAuth. There might even be other OAuth-related requests from clients to an authorization server in future (eg get meta data, or delete a token; even refreshing a token might be better as a GET). I want to be able to use the same client auth mechanism, and same client credentials, for all these calls. Some of these calls might be PUTs, DELETEs, non-form POSTs, GETs etc. even if requesting (& refreshing) a token is always a form POST. Hence client_secret as a POST parameter when requesting a token is a poor design. It should be perfectly valid (and not uncommon I expect) for a service to support OAuth for user delegation, but not use OAuth for making all direct client calls token-based — these address quite different issues. Other services might use short-term refreshable tokens when clients (on their own behalf) access less trusted “content” service, but will use “normal” auth when clients talk to the trusted account/authorization system. -- James Manger From: Eran Hammer-Lahav [mailto:eran@hueniverse.com] Sent: Saturday, 17 April 2010 12:58 PM To: Manger, James H; Luke Shepard; John Kemp Cc: OAuth WG Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints This has nothing to do with it. There is no PUT and DELETE or POST with non-form body when *requesting a token*. We need to do a better job not to confuse accessing protected resources with the flow calls. They are completely different. EHL On 4/16/10 7:02 PM, "James Manger" <James.H.Manger@team.telstra.com> wrote: >> In either case, we should not restrict the access token URL to POST-only. >> A GET request is just as secure and can be much easier to write code for > If you are using GET, then refresh tokens and client secrets will end > up side by side in web server log files. These are exactly the sort of reasons why client authentication should be any "normal" auth scheme, and not an OAuth-special client_secret POST parameter. That fails for PUT, DELETE, and POST with a non-form body; and the security changes with GET. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Issue: Split the authorization endpoin… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… David Recordon
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… John Kemp
- Re: [OAUTH-WG] Issue: Split the authorization end… Justin Richer
- Re: [OAUTH-WG] Issue: Split the authorization end… Luke Shepard
- Re: [OAUTH-WG] Issue: Split the authorization end… Evan Gilbert
- Re: [OAUTH-WG] Issue: Split the authorization end… David Recordon
- Re: [OAUTH-WG] Issue: Split the authorization end… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… Marius Scurtescu
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Split the authorization end… Eran Hammer-Lahav
- Re: [OAUTH-WG] Issue: Split the authorization end… Manger, James H
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt
- Re: [OAUTH-WG] Issue: Split the authorization end… Luke Shepard
- Re: [OAUTH-WG] Issue: Split the authorization end… Torsten Lodderstedt