Re: [OAUTH-WG] consistency of token param name in bearer token type
Bill <bill@dehora.net> Wed, 15 June 2011 08:46 UTC
Return-Path: <bill@dehora.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D944611E807A for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 01:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgfP4OKfknk1 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 01:46:11 -0700 (PDT)
Received: from chilco.textdrive.com (mail.indigozen.co.uk [207.7.108.242]) by ietfa.amsl.com (Postfix) with ESMTP id ECD3C11E8074 for <oauth@ietf.org>; Wed, 15 Jun 2011 01:46:10 -0700 (PDT)
Received: from [192.168.3.18] (87-198-172-217.static.ptr.magnet.ie [87.198.172.217]) by chilco.textdrive.com (Postfix) with ESMTP id 4F20EE0329; Wed, 15 Jun 2011 08:46:09 +0000 (UTC)
Message-ID: <4DF8714D.7090601@dehora.net>
Date: Wed, 15 Jun 2011 09:46:05 +0100
From: Bill <bill@dehora.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: David Recordon <recordond@gmail.com>
References: <BANLkTim1VRggQ8W-7WHVcXboOaPr-RcN_A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943380F6A46@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTimQkzW7r-GV7cu67W4Doo7q9JZLnw@mail.gmail.com> <4DE541B5.6080605@aol.com> <BANLkTikMp-=EO9jwdyGFm8=COr_MsSEjbw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739433810E906@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTim9Rr3eCM=aLoub+NfPX4QQ6=F3vw@mail.gmail.com> <BANLkTikmLCe5Ztsu3qrw_TasmyN5Gya47Q@mail.gmail.com> <4DF206E7.3040401@aol.com> <90662920-6576-4DA7-B6B6-80C83FDB1E15@jkemp.net> <4DF21800.9090302@aol.com> <133A769C-7B4F-4C36-BDCC-E1D4CAB8D256@jkemp.net> <BANLkTinjOkG+G56sN0qdOvRr6v5NboK=hA@mail.gmail.com> <4DF77A50.8080403@dehora.net> <BANLkTi=J_a=Z9HPA=_JKWHSgg09Ky7OyxQ@mail.gmail.com>
In-Reply-To: <BANLkTi=J_a=Z9HPA=_JKWHSgg09Ky7OyxQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] consistency of token param name in bearer token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 08:46:12 -0000
On 15/06/11 02:30, David Recordon wrote: > Bearer token doesn't exist within the core spec around getting an > access token. The term that is used is "access token". Right, I get that Bearer is defined in another draft document (which the core spec references and probably should not btw, that's confusing as well) >> "access_token":"vF9dft4qmT", >> "token_type":"Bearer" I was referring to bearer token wrt token_type. The above is how I understand one will be supplied. Bill > > > On Tue, Jun 14, 2011 at 8:12 AM, Bill<bill@dehora.net> wrote: >> On 10/06/11 17:45, David Recordon wrote: >>> >>> I think it's vital to have the GET and POST parameters make sense to >>> every developer. I worry less about the authorization header since a >>> developer implementing it will honestly be a stronger engineer. >> >> I agree with David regardless of engineering strength, this is going to be >> confusing to developers. Also tho', devs are exposed to the access token >> response, not just the GET/POST bits. So ideally syntax would line up with >> how the token is obtained >> http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-5.1 and not just >> across requests using the token. >> >> A possible clarifying change is to use something like "bearer_token" end to >> end. >> >> [[[ >> { >> "access_token":"vF9dft4qmT", >> "token_type":"bearer_token", /* ? */ >> ... >> } >> >> >> GET /resource HTTP/1.1 >> Host: server.example.com >> Authorization: bearer_token vF9dft4qmT >> >> >> GET /resource?bearer_token=vF9dft4qmT&... >> Host: server.example.com >> >> >> POST /resource >> Host: server.example.com >> Content-Type: application/x-www-form-urlencoded >> >> &bearer_token=vF9dft4qmT&... >> >> >> HTTP/1.1 401 Unauthorized >> WWW-Authenticate: bearer_token realm="example" >> ]]] >> >> >> Bill >> >> >>> Here's what I said earlier in the thread about my motivation: >>>> >>>> Did a full read through of draft 16 and the bear token spec with Paul >>>> yesterday afternoon in order to do a manual diff from draft 10. The >>>> point Doug raised was actually confusing. Throughout the core spec >>>> it's referred to as access_token but then becomes bearer_token upon >>>> use. >>>> >>>> Just thinking through this from a developer documentation perspective, >>>> it's going to become confusing. Developer documentation focuses on >>>> getting an access token and then using that access token to interact >>>> with an API. Thus the code you're writing as a client developer will >>>> use variables, cache keys, and database columns named `access_token`. >>>> But then when you're going to use it, you'll need to put this access >>>> token into a field named bearer_token. >>>> >>>> Feels quite a bit simpler to just name it access_token. Realize the >>>> core spec never did this since we didn't want to trample on protected >>>> resources which might already have a different type of access_token >>>> parameter. oauth_token was a good compromise since developers would >>>> already know that they were using OAuth and thus a new term wasn't >>>> being introduced. That's no longer true with bearer_token since 99% of >>>> developers will have never heard of a bearer token. >>>> >>>> Googling for "bearer token" turns up Eran's blog post titled "OAuth >>>> Bearer Tokens are a Terrible Idea" and there isn't a single result on >>>> the first page which explains what they are. Binging for "bearer >>>> token" is equally scary. >>> >>> --David >>> >>> >>> On Fri, Jun 10, 2011 at 9:34 AM, John Kemp<john@jkemp.net> wrote: >>>> >>>> George, >>>> >>>> On Jun 10, 2011, at 4:11 PM, George Fletcher wrote: >>>> >>>>> I definitely don't want to change the Authorization header naming >>>>> scheme. I believe it should stay 'Bearer' because that's what the token is. >>>>> We could make it... >>>>> >>>>> Authorization: Bearer access_token=vF9dft4qmT >>>>> >>>>> If that helps with consistency. >>>> >>>> Well, it might seem more consistent, but I'm not sure it's worthwhile to >>>> make the change just for that reason. >>>> >>>> Is it possible that the Bearer HTTP mechanism would ever take multiple >>>> parameters? In which case, having the ability to name the parameters of the >>>> Bearer mechanism might become more interesting. >>>> >>>> - John >>>> >>>>> I don't think we should be associating the term 'access_token' with the >>>>> bearer security mechanism. >>>>> >>>>> Thanks, >>>>> George >>>>> >>>>> On 6/10/11 8:35 AM, John Kemp wrote: >>>>>> >>>>>> What does this mean for the HTTP Authorization header naming scheme for >>>>>> bearer tokens? >>>>>> >>>>>> As I understand this decision, we are discussing whether to standardize >>>>>> on the name "access_token" when a bearer token is sent as either a URL query >>>>>> parameter, or in a form POSTed body? >>>>>> >>>>>> Currently the HTTP Authorization header looks like this (from >>>>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-05 >>>>>> ): >>>>>> >>>>>> GET /resource HTTP/1.1 >>>>>> Host: server.example.com >>>>>> Authorization: Bearer vF9dft4qmT >>>>>> >>>>>> Is the proposal then that we have: >>>>>> >>>>>> 1. GET /resource?access_token=vF9dft4qmT >>>>>> 2. POST /resource >>>>>> >>>>>> access_token=vF9dft4qmT&... >>>>>> >>>>>> 3. >>>>>> >>>>>> GET /resource HTTP/1.1 >>>>>> Host: server.example.com >>>>>> Authorization: access_token vF9dft4qmT >>>>>> >>>>>> Can someone actually give the details of the proposal, or >>>>>> agree/disagree with the examples above? >>>>>> >>>>>> - John >>>>>> >>>>>> On Jun 10, 2011, at 2:58 PM, George Fletcher wrote: >>>>>> >>>>>> >>>>>>> Yes, that's fine with me. >>>>>>> >>>>>>> Thanks, >>>>>>> George >>>>>>> >>>>>>> On 6/10/11 4:20 AM, David Recordon wrote: >>>>>>> >>>>>>>> George, Doug and Eran are you alright with the Bearer token spec >>>>>>>> using >>>>>>>> the parameter name "access_token" as well? >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jun 8, 2011 at 4:50 PM, Marius Scurtescu >>>>>>>> >>>>>>>> <mscurtescu@google.com> >>>>>>>> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>>> On Wed, Jun 1, 2011 at 1:14 PM, Mike >>>>>>>>> Jones<Michael.Jones@microsoft.com> >>>>>>>>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> If you can drive a consensus decision for the name "access_token", >>>>>>>>>> I'd be glad to change the name in the spec. I agree that the current names >>>>>>>>>> are confusing for developers. >>>>>>>>>> >>>>>>>>>> >>>>>>>>> At Google we are getting the same feedback, that it is confusing for >>>>>>>>> developers. It would definitely help if we could change the name to >>>>>>>>> "access_token". >>>>>>>>> >>>>>>>>> Marius >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> >>>>>>> OAuth@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] consistency of token param name in bea… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Stephen Farrell
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… John Bradley
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… Lodderstedt, Torsten
- Re: [OAUTH-WG] consistency of token param name in… KIHARA, Boku
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Torsten Lodderstedt
- Re: [OAUTH-WG] consistency of token param name in… Manger, James H