IETF Logo Mail Archive

Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints

Eran Hammer-Lahav <eran@hueniverse.com> Sat, 17 April 2010 11:43 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8D113A68F6 for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 04:43:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bk6hPshfpF1l for <oauth@core3.amsl.com>; Sat, 17 Apr 2010 04:43:09 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id E5ABE3A6863 for <oauth@ietf.org>; Sat, 17 Apr 2010 04:43:08 -0700 (PDT)
Received: (qmail 25822 invoked from network); 17 Apr 2010 11:43:00 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 17 Apr 2010 11:43:00 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Sat, 17 Apr 2010 04:43:01 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, James Manger <James.H.Manger@team.telstra.com>
Date: Sat, 17 Apr 2010 04:42:57 -0700
Thread-Topic: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
Thread-Index: AcreBXyhwMO7BvK2S/y39OthXsgISQAHaMLj
Message-ID: <C7EEECD1.32476%eran@hueniverse.com>
In-Reply-To: <4BC96CF4.7050009@lodderstedt.net>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C7EEECD132476eranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Apr 2010 11:43:14 -0000

How would use differentiate between the username and password profile and the client credentials profile, if you are using Basic or Digest?

EHL


On 4/17/10 1:10 AM, "Torsten Lodderstedt" <torsten@lodderstedt.net> wrote:

I support the idea to use standard HTTP auth mechanisms for authentication on the authorization server endpoint. From a design standpoint this is just an API - which we cannot to protect via OAuth tokens because it issues these tokens. But we can use HTTP standard authorization mechanisms (and headers) as BASIC or DIGEST to authenticate the callers. This gives implementations the option to use other mechanisms (like SPNEGO or CERT). And as James pointed out, there might (will in our case) other requests on this endpoint used to provide additional services via other HTTP methods, e.g. DELETE. Moreover, standard authn modules (as in HTTPClient) can directly be used to implement access to OAuth authorization servers.

I would recommend to separate functional API parameters, like callback url, and authorization data.

regards,
Torsten.

Am 17.04.2010 06:52, schrieb Manger, James H:
  Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints


> This has nothing to do with it. There is no PUT and DELETE or POST with non-form body when *requesting a token*.



It is relevant.

I don't want to authenticate direct client requests *only* when they *request a token*.

Clients might make any variety of direct requests unrelated to OAuth.

There might even be other OAuth-related requests from clients to an authorization server in future (eg get meta data, or delete a token; even refreshing a token might be better as a GET).

I want to be able to use the same client auth mechanism, and same client credentials, for all these calls.

Some of these calls might be PUTs, DELETEs, non-form POSTs, GETs etc. even if requesting (& refreshing) a token is always a form POST.

Hence client_secret as a POST parameter when requesting a token is a poor design.





It should be perfectly valid (and not uncommon I expect) for a service to support OAuth for user delegation, but not use OAuth for making all direct client calls token-based - these address quite different issues.

Other services might use short-term refreshable tokens when clients (on their own behalf) access less trusted "content" service, but will use "normal" auth when clients talk to the trusted account/authorization system.

v2.23.0 | Report a Bug | By Email