IETF Logo Mail Archive

[OAUTH-WG] OAuth vs OAuth2 in Authorization header

Brian Eaton <beaton@google.com> Thu, 15 July 2010 05:38 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E43B63A69C3 for <oauth@core3.amsl.com>; Wed, 14 Jul 2010 22:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.794
X-Spam-Level:
X-Spam-Status: No, score=-105.794 tagged_above=-999 required=5 tests=[AWL=0.183, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CnommSrXGzq for <oauth@core3.amsl.com>; Wed, 14 Jul 2010 22:38:36 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 3E8A33A690F for <oauth@ietf.org>; Wed, 14 Jul 2010 22:38:36 -0700 (PDT)
Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com [172.24.198.97]) by smtp-out.google.com with ESMTP id o6F5ckYp001287 for <oauth@ietf.org>; Wed, 14 Jul 2010 22:38:46 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1279172326; bh=Dg39p0kzKnn60mkQfQOm9kpxYi4=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=i756e4TDDjvtcYMGN+OV12E5tvEhImI4uFMpI4yCZWxNJAa86J/B3GEizI6naaI/Y qCiv9w6NOJ+Tp6boNoucA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:date:message-id:subject:from:to:content-type:x-system-of-record; b=DgDyMm60o5mPgUdFHrKtudDdQos9iIapnx+PRiYnjpfzF4rNu/a48/o8Ed8KNX8Nj MPsQuaDmytype6pHv+iEA==
Received: from pxi18 (pxi18.prod.google.com [10.243.27.18]) by wpaz33.hot.corp.google.com with ESMTP id o6F5cj6G011716 for <oauth@ietf.org>; Wed, 14 Jul 2010 22:38:45 -0700
Received: by pxi18 with SMTP id 18so281178pxi.4 for <oauth@ietf.org>; Wed, 14 Jul 2010 22:38:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.210.2 with SMTP id i2mr9383346wfg.299.1279172323874; Wed, 14 Jul 2010 22:38:43 -0700 (PDT)
Received: by 10.142.193.19 with HTTP; Wed, 14 Jul 2010 22:38:43 -0700 (PDT)
Date: Wed, 14 Jul 2010 22:38:43 -0700
Message-ID: <AANLkTim6az--AdwmEoew2pz3kEjhc_GyEaiyo_0UhSRr@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Subject: [OAUTH-WG] OAuth vs OAuth2 in Authorization header
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 05:38:41 -0000

Draft 10 switched from "Token" scheme in the authorization header to
"OAuth".  I'd rather we didn't reuse OAuth.  'OAuth2' would be great.
"Token" is ugly as sin, but is better than "OAuth".

Spec section: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#page-30

The problem with reusing "OAuth" is that there are existing
implementations in the wild that have special behavior implemented for
OAuth authorization headers.  Since OAuth2 headers don't have the same
semantics, we're going to break those implementations.  We shouldn't
reuse "OAuth" for the same reasons we shouldn't reuse "Negotiate",
"NTLM", "Digest", or "Basic.

Cheers,
Brian

v2.37.1 | Report a Bug | By Email | System Status