IETF Logo Mail Archive

Re: [OAUTH-WG] consistency of token param name in bearer token type

Bill <bill@dehora.net> Wed, 15 June 2011 08:46 UTC

Return-Path: <bill@dehora.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D944611E807A for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 01:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgfP4OKfknk1 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 01:46:11 -0700 (PDT)
Received: from chilco.textdrive.com (mail.indigozen.co.uk [207.7.108.242]) by ietfa.amsl.com (Postfix) with ESMTP id ECD3C11E8074 for <oauth@ietf.org>; Wed, 15 Jun 2011 01:46:10 -0700 (PDT)
Received: from [192.168.3.18] (87-198-172-217.static.ptr.magnet.ie [87.198.172.217]) by chilco.textdrive.com (Postfix) with ESMTP id 4F20EE0329; Wed, 15 Jun 2011 08:46:09 +0000 (UTC)
Message-ID: <4DF8714D.7090601@dehora.net>
Date: Wed, 15 Jun 2011 09:46:05 +0100
From: Bill <bill@dehora.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: David Recordon <recordond@gmail.com>
References: <BANLkTim1VRggQ8W-7WHVcXboOaPr-RcN_A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943380F6A46@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTimQkzW7r-GV7cu67W4Doo7q9JZLnw@mail.gmail.com> <4DE541B5.6080605@aol.com> <BANLkTikMp-=EO9jwdyGFm8=COr_MsSEjbw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739433810E906@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTim9Rr3eCM=aLoub+NfPX4QQ6=F3vw@mail.gmail.com> <BANLkTikmLCe5Ztsu3qrw_TasmyN5Gya47Q@mail.gmail.com> <4DF206E7.3040401@aol.com> <90662920-6576-4DA7-B6B6-80C83FDB1E15@jkemp.net> <4DF21800.9090302@aol.com> <133A769C-7B4F-4C36-BDCC-E1D4CAB8D256@jkemp.net> <BANLkTinjOkG+G56sN0qdOvRr6v5NboK=hA@mail.gmail.com> <4DF77A50.8080403@dehora.net> <BANLkTi=J_a=Z9HPA=_JKWHSgg09Ky7OyxQ@mail.gmail.com>
In-Reply-To: <BANLkTi=J_a=Z9HPA=_JKWHSgg09Ky7OyxQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] consistency of token param name in bearer token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 08:46:12 -0000

On 15/06/11 02:30, David Recordon wrote:
> Bearer token doesn't exist within the core spec around getting an
> access token. The term that is used is "access token".

Right, I get that Bearer is defined in another draft document (which the 
core spec references and probably should not btw, that's confusing as well)

 >> "access_token":"vF9dft4qmT",
 >> "token_type":"Bearer"

I was referring to bearer token wrt token_type. The above is how I 
understand one will be supplied.

Bill

>
>
> On Tue, Jun 14, 2011 at 8:12 AM, Bill<bill@dehora.net>  wrote:
>> On 10/06/11 17:45, David Recordon wrote:
>>>
>>> I think it's vital to have the GET and POST parameters make sense to
>>> every developer. I worry less about the authorization header since a
>>> developer implementing it will honestly be a stronger engineer.
>>
>> I agree with David regardless of engineering strength, this is going to be
>> confusing to developers. Also tho', devs are exposed to the access token
>> response, not just the GET/POST bits. So ideally syntax would line up with
>> how the token is obtained
>> http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-5.1 and not just
>> across requests using the token.
>>
>> A possible clarifying change is to use something like "bearer_token" end to
>> end.
>>
>> [[[
>> {
>>        "access_token":"vF9dft4qmT",
>>        "token_type":"bearer_token", /* ? */
>> ...
>> }
>>
>>
>> GET /resource HTTP/1.1
>> Host: server.example.com
>> Authorization: bearer_token vF9dft4qmT
>>
>>
>> GET /resource?bearer_token=vF9dft4qmT&...
>> Host: server.example.com
>>
>>
>> POST /resource
>> Host: server.example.com
>> Content-Type: application/x-www-form-urlencoded
>>
>> &bearer_token=vF9dft4qmT&...
>>
>>
>> HTTP/1.1 401 Unauthorized
>> WWW-Authenticate: bearer_token realm="example"
>> ]]]
>>
>>
>> Bill
>>
>>
>>> Here's what I said earlier in the thread about my motivation:
>>>>
>>>> Did a full read through of draft 16 and the bear token spec with Paul
>>>> yesterday afternoon in order to do a manual diff from draft 10. The
>>>> point Doug raised was actually confusing. Throughout the core spec
>>>> it's referred to as access_token but then becomes bearer_token upon
>>>> use.
>>>>
>>>> Just thinking through this from a developer documentation perspective,
>>>> it's going to become confusing. Developer documentation focuses on
>>>> getting an access token and then using that access token to interact
>>>> with an API. Thus the code you're writing as a client developer will
>>>> use variables, cache keys, and database columns named `access_token`.
>>>> But then when you're going to use it, you'll need to put this access
>>>> token into a field named bearer_token.
>>>>
>>>> Feels quite a bit simpler to just name it access_token. Realize the
>>>> core spec never did this since we didn't want to trample on protected
>>>> resources which might already have a different type of access_token
>>>> parameter. oauth_token was a good compromise since developers would
>>>> already know that they were using OAuth and thus a new term wasn't
>>>> being introduced. That's no longer true with bearer_token since 99% of
>>>> developers will have never heard of a bearer token.
>>>>
>>>> Googling for "bearer token" turns up Eran's blog post titled "OAuth
>>>> Bearer Tokens are a Terrible Idea" and there isn't a single result on
>>>> the first page which explains what they are. Binging for "bearer
>>>> token" is equally scary.
>>>
>>> --David
>>>
>>>
>>> On Fri, Jun 10, 2011 at 9:34 AM, John Kemp<john@jkemp.net>    wrote:
>>>>
>>>> George,
>>>>
>>>> On Jun 10, 2011, at 4:11 PM, George Fletcher wrote:
>>>>
>>>>> I definitely don't want to change the Authorization header naming
>>>>> scheme. I believe it should stay 'Bearer' because that's what the token is.
>>>>> We could make it...
>>>>>
>>>>> Authorization: Bearer access_token=vF9dft4qmT
>>>>>
>>>>> If that helps with consistency.
>>>>
>>>> Well, it might seem more consistent, but I'm not sure it's worthwhile to
>>>> make the change just for that reason.
>>>>
>>>> Is it possible that the Bearer HTTP mechanism would ever take multiple
>>>> parameters? In which case, having the ability to name the parameters of the
>>>> Bearer mechanism might become more interesting.
>>>>
>>>> - John
>>>>
>>>>> I don't think we should be associating the term 'access_token' with the
>>>>> bearer security mechanism.
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>> On 6/10/11 8:35 AM, John Kemp wrote:
>>>>>>
>>>>>> What does this mean for the HTTP Authorization header naming scheme for
>>>>>> bearer tokens?
>>>>>>
>>>>>> As I understand this decision, we are discussing whether to standardize
>>>>>> on the name "access_token" when a bearer token is sent as either a URL query
>>>>>> parameter, or in a form POSTed body?
>>>>>>
>>>>>> Currently the HTTP Authorization header looks like this (from
>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-05
>>>>>> ):
>>>>>>
>>>>>> GET /resource HTTP/1.1
>>>>>> Host: server.example.com
>>>>>> Authorization: Bearer vF9dft4qmT
>>>>>>
>>>>>> Is the proposal then that we have:
>>>>>>
>>>>>> 1. GET /resource?access_token=vF9dft4qmT
>>>>>> 2. POST /resource
>>>>>>
>>>>>> access_token=vF9dft4qmT&...
>>>>>>
>>>>>> 3.
>>>>>>
>>>>>> GET /resource HTTP/1.1
>>>>>> Host: server.example.com
>>>>>> Authorization: access_token vF9dft4qmT
>>>>>>
>>>>>> Can someone actually give the details of the proposal, or
>>>>>> agree/disagree with the examples above?
>>>>>>
>>>>>> - John
>>>>>>
>>>>>> On Jun 10, 2011, at 2:58 PM, George Fletcher wrote:
>>>>>>
>>>>>>
>>>>>>> Yes, that's fine with me.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> George
>>>>>>>
>>>>>>> On 6/10/11 4:20 AM, David Recordon wrote:
>>>>>>>
>>>>>>>> George, Doug and Eran are you alright with the Bearer token spec
>>>>>>>> using
>>>>>>>> the parameter name "access_token" as well?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Jun 8, 2011 at 4:50 PM, Marius Scurtescu
>>>>>>>>
>>>>>>>> <mscurtescu@google.com>
>>>>>>>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Wed, Jun 1, 2011 at 1:14 PM, Mike
>>>>>>>>> Jones<Michael.Jones@microsoft.com>
>>>>>>>>>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> If you can drive a consensus decision for the name "access_token",
>>>>>>>>>> I'd be glad to change the name in the spec.  I agree that the current names
>>>>>>>>>> are confusing for developers.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> At Google we are getting the same feedback, that it is confusing for
>>>>>>>>> developers. It would definitely help if we could change the name to
>>>>>>>>> "access_token".
>>>>>>>>>
>>>>>>>>> Marius
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>>
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>
>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email