IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2 scheme

Eran Hammer-Lahav <eran@hueniverse.com> Sat, 09 April 2011 03:54 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A72F13A6A32 for <oauth@core3.amsl.com>; Fri, 8 Apr 2011 20:54:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.646
X-Spam-Level:
X-Spam-Status: No, score=-2.646 tagged_above=-999 required=5 tests=[AWL=-0.048, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fGOC8Y8AjSGD for <oauth@core3.amsl.com>; Fri, 8 Apr 2011 20:54:36 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id CB55D3A6978 for <oauth@ietf.org>; Fri, 8 Apr 2011 20:54:35 -0700 (PDT)
Received: (qmail 12140 invoked from network); 9 Apr 2011 03:56:20 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 9 Apr 2011 03:56:20 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Fri, 8 Apr 2011 20:56:20 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, OAuth WG <oauth@ietf.org>
Date: Fri, 08 Apr 2011 20:56:09 -0700
Thread-Topic: OAuth2 scheme
Thread-Index: Acv0szxJR54h3FRORpezZ9L8nUeh+gAxRy2gAAXVW8AACmyNEAAsFdmQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234465664E5CD@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234465664E11D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E11281CAB8DB@WSMSG3153V.srv.dir.telstra.com> <90C41DD21FB7C64BB94121FBBC2E7234465664E3B1@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E11281D308B0@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11281D308B0@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234465664E5CDP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth2 scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Apr 2011 03:54:41 -0000

Thanks James.

I think overall your proposal is a good direction. I think the combination of Link and WWW-Authenticate headers (static/dynamic) discovery is interesting.

If you have the time, I would love to see an I-D defining the OAuth2 authentication scheme (partial as you defined it) with clear usage and processing rules for using it with other HTTP schemes. While this is clearly not within our scope, progressing such a draft now on the side makes a lot of sense to me.

EHL

From: Manger, James H [mailto:James.H.Manger@team.telstra.com]
Sent: Friday, April 08, 2011 12:17 AM
To: Eran Hammer-Lahav; OAuth WG
Subject: RE: OAuth2 scheme

[Sorry, I didn't see this email before I sent my last one]

> Chairs - I would like to ask that you declare all discovery requirements and use cases out of scope for v2 and the working group at this point.
>
> ---
>
> As for the error code registry and the request Mike posted, I do not think your use case has much to do with the goal Mike has with his registry proposal. Mike's proposal is for v2 to define an error registry for use with an error attribute across different HTTP schemes such as Bearer and MAC, and for that to make sense, we need to define an OAuth2 scheme that *replaces* the Bearer and MAC schemes - something you agree we should not do.


An error code is part of discovery - it lets a client app "discover" what it needs to do next to gain access.

We can have separate discovery of fairly static server capabilities and endpoints and call that out of scope for v2.
However, we still need dynamic discovery of which OAuth2 flow a client should do after a particular HTTP resource request fails. This is related to error codes so needs to be as in-scope as error codes are. Indicating which OAuth2 flow to perform should be OAuth2-specific, not kludged onto every (independent) authentication scheme.

P.S. I still absolutely agree that we should NOT define one OAuth2 scheme that replaces Bearer and MAC.

--
James Manger

v2.23.0 | Report a Bug | By Email