Re: [OAUTH-WG] First draft of OAuth 2.0
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 23 March 2010 18:15 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0698B3A6A2B for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 11:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.481
X-Spam-Level: *
X-Spam-Status: No, score=1.481 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BukX7qsbH8ZN for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 11:14:59 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.35]) by core3.amsl.com (Postfix) with ESMTP id 0C8923A6CB8 for <oauth@ietf.org>; Tue, 23 Mar 2010 11:14:08 -0700 (PDT)
Received: from p4fff3291.dip.t-dialin.net ([79.255.50.145] helo=[127.0.0.1]) by smtprelay01.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1Nu8cO-00058Z-La; Tue, 23 Mar 2010 19:14:20 +0100
Message-ID: <4BA904F6.7000208@lodderstedt.net>
Date: Tue, 23 Mar 2010 19:14:14 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: David Recordon <davidrecordon@facebook.com>
References: <526C3C44-18CF-4A94-A4C6-72702F73AC83@facebook.com>
In-Reply-To: <526C3C44-18CF-4A94-A4C6-72702F73AC83@facebook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] First draft of OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 18:15:01 -0000
Hi David, I have a couple of questions/comments: §2 - The flows use shared secrets for client authentication only. What about adding support for public-key-based signatures for that purpose as an alternative? That's one of the use cases on http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy §2.4 - Looks like a POST-Request in combination with a password-based user authentication. What about using a standard BASIC Authorization Header instead of oauth_username and oauth_password? In that way, existing code for BASIC-Authentication can easily be ported to OAUTH. §3 - Why is the parameter oauth_client_secret required for refreshing access tokens? Use cases 2.2 and 2.3 do not require the client to use (possess) a secret. Does this imply such client are not entitled to refresh tokens? I would suggest to simply remove this parameter. - Why is the refresh method the only way to obtain token secrets? This forces every client needing a token secret to perform two calls (and get a useless access token in the first call). I would suggest to add the parameter oauth_want_secret to all flows in §2. - "If an access token secret is included in the response, the protected resource MUST NOT allow the use of the corresponding access token without its secret .... " Why is that neccessary? - response value oauth_signature_methods: Why is it the obligation of an autorization server to know the signature methods a protected resource supports? IMHO this is a question of the protocol between client and protected resource and the client should pass in to the request the desired signature method. In that way the authorization server is able to create adequate secret. §4.1 Why do you want to enforce such a strong coupling between bearer tokens and TLS per spec? I would recommend to split protocol definition and security considerations as in RFC2617. There, BASIC authentication is defined without any references to transport security mechanisms and the relevant considerations/recommandations are discussed in the security consideration section. IMHO this would simplify the specification because bearer token requests and requests w/ access tokens + signature would just be variant of the same protocol definition. §4.2.2 The WWW-Authenticate header does not give the client any hint what signature methods to use. How shall the client that information obtain? regards, Torsten.
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] First draft of OAuth 2.0 Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Luke Shepard
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Mark Mcgloin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Paul Madsen
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Brian Eaton
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Hans Granqvist
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Marius Scurtescu