Re: [OAUTH-WG] Indicating sites where a token is valid
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 07 May 2010 06:08 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E45853A69EF for <oauth@core3.amsl.com>; Thu, 6 May 2010 23:08:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.446
X-Spam-Level:
X-Spam-Status: No, score=-0.446 tagged_above=-999 required=5 tests=[AWL=-0.798, BAYES_50=0.001, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLY7rZIkb1Ir for <oauth@core3.amsl.com>; Thu, 6 May 2010 23:08:29 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.29.23]) by core3.amsl.com (Postfix) with ESMTP id 818113A6BC0 for <oauth@ietf.org>; Thu, 6 May 2010 23:06:42 -0700 (PDT)
Received: from [79.255.17.190] (helo=[192.168.71.22]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OAGhg-0003fj-Dl; Fri, 07 May 2010 08:06:28 +0200
References: <255B9BB34FB7D647A506DC292726F6E11263073D6D@WSMSG3153V.srv.dir.telstra.com> <q2hfd6741651005062105y46152452x370fac0dd12d55c6@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112631B24FC@WSMSG3153V.srv.dir.telstra.com> <4BE3A5DC.5030601@lodderstedt.net>
Message-Id: <BC9EED4C-B667-4AC2-A663-CEAC0B7CB620@lodderstedt.net>
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <4BE3A5DC.5030601@lodderstedt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail-18-699908534"
Content-Transfer-Encoding: 7bit
X-Mailer: iPhone Mail (7E18)
Mime-Version: 1.0 (iPhone Mail 7E18)
Date: Fri, 07 May 2010 08:06:03 +0200
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Indicating sites where a token is valid
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 06:08:31 -0000
Additionally, I would propose to indicate the scope associated with a token to the client using a scope response parameter. This is especially useful (1) if the client did not pass a scope parameter but the server decided to associate a scope based on its policy or (2) if the user decided to authorize a subset of the requested scope only. Regards, Torsten. Am 07.05.2010 um 07:32 schrieb Torsten Lodderstedt <torsten@lodderstedt.net >: > what about an additional realm response value? > > If there is a binding between realm and token, the client can decide > based on the realm attribute discovered using a WWW-Authenticate > response which token to use. > > regards, > Torsten. > > Am 07.05.2010 07:06, schrieb Manger, James H: >> >> Every existing use of Cookies, HTTP Basic, and HTTP Digest relies >> on clients being told by the server about the sites at which the >> secret (cookie/password/token) can be used (and, more importantly, >> where is must not be used). This occurs without requiring service- >> specific knowledge in the client app. OAuth aims to replace some of >> these uses. >> >> HTTP Basic authentication works safely from clients with no service- >> specific knowledge because the client knows not to send the >> password it gets from the user to other sites. >> >> HTTP Digest authentication allows a password to used to across a >> set of domains specified in a WWW-Authenticate response header, but >> the password will not be used at arbitrary other sites. >> >> Cookies are sent in requests to the same site, sites with the same >> parent, or only https sites, depending on details from the service >> when setting the cookie. >> >> >> To date, OAuth has assumed every client app has lots of service- >> specific knowledge to make these choices. OAuth needs to remove the >> need for so much service-specific knowledge to be as interoperable >> as other standard auth mechanism, otherwise it is a poor replacement. >> >> -- >> James Manger >> >> From: David Recordon [mailto:recordond@gmail.com] >> Sent: Friday, 7 May 2010 2:05 PM >> To: Manger, James H >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] Indicating sites where a token is valid >> >> Hey James, >> Do you have a specific example in mind where this either has been >> an issue or will be an issue? Most client implementations I've seen >> of OAuth (and technologies like OAuth) have a strong binding >> between the access token(s), site they were issued by, and user >> they belong to. So I haven't heard of this being a problem in the >> wild... >> >> --David >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Indicating sites where a token is valid Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Luke Shepard
- Re: [OAUTH-WG] Redirects Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Redirects David Recordon
- Re: [OAUTH-WG] Redirects Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Richer, Justin P.
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … David Recordon
- Re: [OAUTH-WG] Indicating sites where a token is … Torsten Lodderstedt
- Re: [OAUTH-WG] SWT for indicating sites where a t… Marius Scurtescu
- Re: [OAUTH-WG] Indicating sites where a token is … Marius Scurtescu
- Re: [OAUTH-WG] SWT for indicating sites where a t… Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Evan Gilbert
- Re: [OAUTH-WG] Indicating sites where a token is … Brian Eaton
- Re: [OAUTH-WG] Indicating sites where a token is … Manger, James H
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav
- Re: [OAUTH-WG] Indicating sites where a token is … Dick Hardt
- Re: [OAUTH-WG] Indicating sites where a token is … Eran Hammer-Lahav