IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt

Marius Scurtescu <mscurtescu@google.com> Wed, 26 January 2011 21:40 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A30EA3A68A0 for <oauth@core3.amsl.com>; Wed, 26 Jan 2011 13:40:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.812
X-Spam-Level:
X-Spam-Status: No, score=-105.812 tagged_above=-999 required=5 tests=[AWL=0.165, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5La8OexxFX-5 for <oauth@core3.amsl.com>; Wed, 26 Jan 2011 13:40:07 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 9C53E3A6893 for <oauth@ietf.org>; Wed, 26 Jan 2011 13:40:07 -0800 (PST)
Received: from kpbe19.cbf.corp.google.com (kpbe19.cbf.corp.google.com [172.25.105.83]) by smtp-out.google.com with ESMTP id p0QLh88i020898 for <oauth@ietf.org>; Wed, 26 Jan 2011 13:43:09 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1296078189; bh=gDyI41W6/94zaAk79jMQlPhtjBA=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=lH+5JshWq6bqimHU9MQ2vRlM9Vd+hj+1/c/pWmdKRfxbIXWqkGb+xnUm+Z3oqrXmi OMvYWq1TgVSVclFZXLRtg==
Received: from ywi6 (ywi6.prod.google.com [10.192.9.6]) by kpbe19.cbf.corp.google.com with ESMTP id p0QLgrcv008647 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 26 Jan 2011 13:43:07 -0800
Received: by ywi6 with SMTP id 6so321935ywi.6 for <oauth@ietf.org>; Wed, 26 Jan 2011 13:43:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=yQrzEoe2PVpHCQAdAF92g5hS3xANBIvza+4Wb6H0gzE=; b=XzZGzpAxz8meoT3x/eazaPPPk4fTqEQMJZH7UkERujsmmTE+Pu8RLe8jmkua+vT20z VBujAJKxVEB5oNh8D7Dw==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=QdTosmZ9kEd0+45dPE88R6GW6wKN8xQEs7zLz9jehXyTWYtSDGuU0IylWEdZm0lNqL xTiWsyzrhXucoD4Aswwg==
Received: by 10.100.227.17 with SMTP id z17mr178433ang.214.1296078187329; Wed, 26 Jan 2011 13:43:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.153.9 with HTTP; Wed, 26 Jan 2011 13:42:47 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A8D62545@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <20110121004501.28103.96097.idtracker@localhost> <90C41DD21FB7C64BB94121FBBC2E723445A8D61C8E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E723445A8D61CBA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimzOErQhT_gjdQrcawVgfsnr_2RVtTOYRoP-fcR@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A8D62545@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 26 Jan 2011 13:42:47 -0800
Message-ID: <AANLkTi=doUBwOyvZx+GyJSB7N19hpQEE-UqAfQ1F-xSv@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2011 21:40:08 -0000

On Tue, Jan 25, 2011 at 11:08 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> Thanks Marius.
>
>> -----Original Message-----
>> From: Marius Scurtescu [mailto:mscurtescu@google.com]
>> Sent: Tuesday, January 25, 2011 5:02 PM
>> To: Eran Hammer-Lahav
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] I-D Action:draft-ietf-oauth-v2-12.txt
>>
>> On Thu, Jan 20, 2011 at 9:41 PM, Eran Hammer-Lahav
>> <eran@hueniverse.com> wrote:
>> > Forgot to mention that I don't have any outstanding comments in my
>> queue so if your feedback was not incorporated into -12, and you feel
>> strongly about it, bring it up again.
>>
>> From an older email, adapted to v12:
>>
>>
>> 1. The token_type parameter is required in responses from the server.
>> If the server supports multiple formats, which one will be used? In this case,
>> would it make sense to allow the client to request a specific format?
>>
>> For example, if the authorization server supports both MAC and BEARER,
>> which one will the server issue?
>
> It might in some cases, but I suspect most providers are going to decide which scheme provides the right level of security for them and just use that. If you are going to allow both MAC and BEARER, you are basically letting clients decide which level to operate at. Do you have a need or plan to support multiple token types?

For now we are planning to support only bearer, but I am sure some
form of signed tokens will follow sooner than later. At which point we
would have to support both.

In most cases I think it is up to the client to decide.


>> 2. Section 8.2. What about applications using legacy parameters? Does not
>> make much sense to register them, and they cannot be changed to x_.
>> Broken record: using a prefix for all registered parameters is much cleaner (as
>> opposed to requiring that all no-registered parameters use a prefix).
>>
>> For Google it is impossible to comply with this requirement.
>
> What legacy parameters do you have? Since OAuth 2.0 endpoints are brand new, this is probably about extension parameters in the authorization endpoint from OAuth 1.0 or AuthSub? I think the legacy parameters problem is pretty small, given the number of existing *token* and *authorization* endpoints with custom parameters (that were not pulled into the specification such as scope), but it would be good to know what we are dealing with.

It is about parameters used by the authentication endpoints (aka login
page). The new OAuth 2 endpoints have no control over that.


> Overall, this is a pretty minor issue. I assume you don't have any conflicts today with the v2 specification. Any conflicts you might have in the future (for which this x_ prefix is meant for) with new extensions is probably going to be minor. And Google can always join the work to make sure they pick a less conflicting name... this is where the registration process really helps to avoid clashes.

I don't think it makes much sense to register these existing
parameters, and they cannot be changed either. I guess that other
authorization servers will have similar issues.

Here are some examples from the top of my head:
- hd - domain hint, for hosted domain
- hl - language selecter
- authuser - multiple session user selector


Marius

v2.23.0 | Report a Bug | By Email