IETF Logo Mail Archive

[oauth] FW: I-D Action:draft-hammer-oauth-01.txt

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 10 March 2009 05:19 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0D153A6A16 for <oauth@core3.amsl.com>; Mon, 9 Mar 2009 22:19:38 -0700 (PDT)
X-Quarantine-ID: <YsnS-8FJsqW0>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER, MIME error: error: illegal encoding [base64] for MIME type message/external-body
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YsnS-8FJsqW0 for <oauth@core3.amsl.com>; Mon, 9 Mar 2009 22:19:37 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id E0BD83A6A0A for <oauth@ietf.org>; Mon, 9 Mar 2009 22:19:37 -0700 (PDT)
Received: (qmail 3540 invoked from network); 10 Mar 2009 05:20:09 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 05:20:09 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 9 Mar 2009 22:19:53 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Mon, 09 Mar 2009 22:20:28 -0700
Thread-Topic: I-D Action:draft-hammer-oauth-01.txt
Thread-Index: AcmhEhfYzVUcOjReTn2UlDmONQfYhwALDYTw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/mixed; boundary="_003_90C41DD21FB7C64BB94121FBBC2E723425023C6EEBP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: [oauth] FW: I-D Action:draft-hammer-oauth-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2009 05:19:38 -0000

I spent the last 3 days writing the entire spec from scratch (except for the security consideration section which was just adjusted to the new terminology). The new revision is based on feedback I collected over the past year for the original specification. The main differences are:

* Terminology. Gone are the confusing terms (consumer, request token, consumer key, etc.). Instead I am using terms from the HTTP spec, slightly adjusted.

* Structure. The previous revision mixed authentication with authorization and had very little reason to the way normative text was placed across sections. The new structure splits the spec in two. The first part talks about how to make authenticated requests using two sets of credentials. The second part offers a method (one of many) for getting a token via redirection.

* Encoding. The biggest issue with the previous revision was confusion over parameter encoding and the signature base string. I cleaned up that section, added new examples, and removed a couple instruction to encode the signature (bugs). If followed to the letter, the spec would break all existing implementations... The good thing is it is confusing enough that most people understood it the wrong way (which is actually the right way). Take a look at the old section about PLAINTEXT:

---
oauth_signature is set to the concatenated encoded values of the Consumer Secret and Token Secret, separated by a '&' character (ASCII code 38), even if either secret is empty. The result MUST be encoded again.
---

'The result MUST be encoded again' is just plain wrong. It is encoded again but according to the parameter transmission method, not the special way OAuth does it, and the spec as written would actually double encode it.

* Normative requirements. The spec previously contained many MUSTs and SHOULDs about stuff that could not be verified like documentation and obtaining client credentials. I took out all the ones that didn't actually made any practical difference.

I'm sure there is more, since this is practically a brand new spec (same exact protocol). Please read and provide feedback.

EHL



-----Original Message-----
From: i-d-announce-bounces@ietf.org [mailto:i-d-announce-bounces@ietf.org] On Behalf Of Internet-Drafts@ietf.org
Sent: Monday, March 09, 2009 4:45 PM
To: i-d-announce@ietf.org
Subject: I-D Action:draft-hammer-oauth-01.txt 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : The OAuth Core Protocol
	Author(s)       : E. Hammer-Lahav, B. Cook
	Filename        : draft-hammer-oauth-01.txt
	Pages           : 33
	Date            : 2009-03-09

This document specifies the OAuth core protocol.  OAuth provides a method for clients to access server resources on behalf of another party (such a different client or an end user).  It also provides a redirection-based user agent process for end users to authorize access to clients by substituting their credentials (typically, a username and password pair) with a different set of delegation- specific credentials.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-hammer-oauth-01.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft.
[InternetShortcut] URL=ftp://ftp.ietf.org/internet-drafts/draft-hammer-oauth-01.txt

v2.23.0 | Report a Bug | By Email