IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header

"William Mills" <wmills@yahoo-inc.com> Thu, 15 July 2010 18:50 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D99EA3A6AA5 for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:50:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.346
X-Spam-Level:
X-Spam-Status: No, score=-17.346 tagged_above=-999 required=5 tests=[AWL=0.253, BAYES_00=-2.599, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B24uiu5R5Hmm for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 11:50:52 -0700 (PDT)
Received: from mrout2.yahoo.com (mrout2.yahoo.com [216.145.54.172]) by core3.amsl.com (Postfix) with ESMTP id 541853A6A59 for <oauth@ietf.org>; Thu, 15 Jul 2010 11:50:52 -0700 (PDT)
Received: from SNV-EXBH01.ds.corp.yahoo.com (snv-exbh01.ds.corp.yahoo.com [207.126.227.249]) by mrout2.yahoo.com (8.13.8/8.13.8/y.out) with ESMTP id o6FIo89t073854; Thu, 15 Jul 2010 11:50:08 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; s=serpent; d=yahoo-inc.com; c=nofws; q=dns; h=received:x-mimeole:content-class:mime-version: content-type:content-transfer-encoding:subject:date:message-id: in-reply-to:x-ms-has-attach:x-ms-tnef-correlator:thread-topic: thread-index:references:from:to:cc:return-path:x-originalarrivaltime; b=T497iw2zCxE/J63BoV4GsYYYDnXYSq+3c7dQdY1kpi/hkMT653j2RERutpTRB1Rv
Received: from SNV-EXVS08.ds.corp.yahoo.com ([207.126.227.8]) by SNV-EXBH01.ds.corp.yahoo.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 15 Jul 2010 11:50:08 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 15 Jul 2010 11:50:07 -0700
Message-ID: <012AB2B223CB3F4BB846962876F47217059B6CD5@SNV-EXVS08.ds.corp.yahoo.com>
In-Reply-To: <DE089E9F-35D6-4805-AC77-F86F2642810B@hueniverse.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
Thread-Index: AcskTJ7hBPsBn3XQQyWpNc2p2vpumgAAVGWw
References: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com><1279205969.18579.55.camel@localhost.localdomain><AANLkTildz62l2Me26Dlrv5nNmp8Z3P8JD1K-ChcWc5IO@mail.gmail.com><AANLkTill8k-fUFt-IZLWdZinScj4fSBoI4rAiAf1PrYR@mail.gmail.com><1279216291.18579.61.camel@localhost.localdomain><74AEEFD7-04B3-4B28-970E-0DB554728BED@facebook.com> <DE089E9F-35D6-4805-AC77-F86F2642810B@hueniverse.com>
From: William Mills <wmills@yahoo-inc.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Luke Shepard <lshepard@facebook.com>
X-OriginalArrivalTime: 15 Jul 2010 18:50:08.0341 (UTC) FILETIME=[8BE6F850:01CB244E]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 18:50:55 -0000

Lots of things can be done.  Checking presence of oauth_signature_method
implies that the format is the same in all cases including the auth
header right?

What you seem to be arguing for right now is parsing the entire line to
decide which auth you do.  I would *much* prefer a leading tag or scheme
name so I don't have to go there.

To me this is an argument about complexity.  Your solution involves more
complex code to differentiate. 

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] 
> On Behalf Of Eran Hammer-Lahav
> Sent: Thursday, July 15, 2010 11:36 AM
> To: Luke Shepard
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
> 
> Framing the argument against "having a 2 in it" as 
> bikeshedding is missing the point. My reason against using 
> OAuth2 is that is will undermine all the work put in to build 
> an extensible framework that can evolve without needing a 
> whole new version. By putting a version number, we make it 
> more attractive to change the protocol than extend it.
> 
> So far the arguments made are all theoretical.
> 
> I will maintain  my objection and preference to reuse the 
> existing names until someone with an existing 1.0 deployment 
> can make a compelling reason why they can rely on the 
> presence of the oauth_signature_method to differentiate. 
> 
> EHL
> 
> 
> 
> On Jul 15, 2010, at 14:24, "Luke Shepard" 
> <lshepard@facebook.com> wrote:
> 
> > 
> > On Jul 15, 2010, at 10:51 AM, Justin Richer wrote:
> > 
> >> It was discussed before, but I don't remember there being any 
> >> consensus in the group. What are the practical reasons for 
> not using "oauth2"
> >> namespacing in the one place we still use namespacing? 
> Most of what 
> >> I've heard seems to sound like "I don't like it to have a 2 on it".
> > 
> > I don't like it to have a 2 in it.
> > 
> >> I don't want to have to set up the OAuth 2 system to have to catch 
> >> failed cases of the OAuth 1 protocol. A good OAuth 2 call 
> and a bad 
> >> OAuth 1 call should be distinguishable from the start. Also, what 
> >> about when we finally get a signed-request going? I would 
> assume that 
> >> that's going to add back in things like oauth_signature, 
> oauth_nonce, 
> >> and the other parameters whose absence you should filter on.
> > 
> > The latest signature discussions have all focused on a 
> single, self-contained, signed parameter that includes both 
> data and signature. I think it's unlikely that we will 
> introduce the plethora of parameters that we had in OAuth 1.0.
> > 
> >> -- Justin
> >> 
> >> On Thu, 2010-07-15 at 13:37 -0400, David Recordon wrote:
> >>> I thought this topic had been beaten to death before. An 
> OAuth 1.0 
> >>> protected resource request includes a variety of oauth_ 
> parameters 
> >>> whereas OAuth 2.0 just has oauth_token.
> >>> 
> >>> 
> >>> --David
> >>> 
> >>> 
> >>> On Thu, Jul 15, 2010 at 10:12 AM, Brian Eaton <beaton@google.com>
> >>> wrote:
> >>>       On Thu, Jul 15, 2010 at 7:59 AM, Justin Richer
> >>>       <jricher@mitre.org> wrote:
> >>>> +1 on OAuth2 header, and I also want to see oauth2_token in
> >>>       URI and form
> >>>> parameter methods.
> >>> 
> >>> 
> >>>       Good point about the query parameter names needing to be
> >>>       unambiguous.
> >>> 
> >>>       _______________________________________________
> >>>       OAuth mailing list
> >>>       OAuth@ietf.org
> >>>       https://www.ietf.org/mailman/listinfo/oauth
> >>> 
> >>> 
> >>> 
> >> 
> >> 
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> > 
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.38.3 | Report a Bug | By Email | System Status