IETF Logo Mail Archive

Re: [OAUTH-WG] What to do about 'realm'

Eve Maler <eve@xmlgrrl.com> Sun, 11 July 2010 13:46 UTC

Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 029DF3A6986 for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 06:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.293
X-Spam-Level:
X-Spam-Status: No, score=-1.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bTN-EWZ5utNZ for <oauth@core3.amsl.com>; Sun, 11 Jul 2010 06:46:20 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [98.111.84.13]) by core3.amsl.com (Postfix) with ESMTP id 539033A6981 for <oauth@ietf.org>; Sun, 11 Jul 2010 06:46:19 -0700 (PDT)
Received: from [192.168.168.198] ([192.168.168.198]) (authenticated bits=0) by mail.promanage-inc.com (8.14.3/8.14.3) with ESMTP id o6BDkP4G010434 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 11 Jul 2010 06:46:25 -0700
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112660D9E04@WSMSG3153V.srv.dir.telstra.com>
Date: Sun, 11 Jul 2010 06:46:25 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <AFA50A75-1E70-41E7-B542-7EC7A49C15D7@xmlgrrl.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84ADE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTikLogvJAhE9LF60MDyEiqvpDM8WD8tSUr4fZLjP@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112660D9E04@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1081)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] What to do about 'realm'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 13:46:22 -0000

+1. James states two important requirements (don't stand in the way of dynamic config, provide end-user authz endpoint at a minimum) we need to meet, whatever we pick.

	Eve

On 11 Jul 2010, at 6:12 AM, Manger, James H wrote:

> Brian,
> 
>> Or even just:
>> 
>> WWW-Authenticate: OAuth2
>> 
>> Seriously.
> 
> I seriously hope not.
> It gives no chance for a client to work with a service without being pre-configured with a whole lot of service-specific knowledge -- in addition to an app-id/password.
> 
> I don't think a realm parameter adds much value to a "WWW-Auth.: OAuth2" header, other than complying with RFC2617. The header does need to provide an end-user authorization endpoint. Ideally, that one URI would be sufficient for the protocol to succeed (though currently you need to separately provide a token endpoint as well).
> 
> --
> James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler
http://www.xmlgrrl.com/blog
http://www.twitter.com/xmlgrrl
http://www.linkedin.com/in/evemaler

v2.37.1 | Report a Bug | By Email | System Status