Re: [OAUTH-WG] Which draft to use as a starting point for 'using a token'?
Greg Brail <gbrail@sonoasystems.com> Thu, 11 February 2010 05:06 UTC
Return-Path: <gbrail@sonoasystems.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F3FA28C17B for <oauth@core3.amsl.com>; Wed, 10 Feb 2010 21:06:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.018
X-Spam-Level:
X-Spam-Status: No, score=0.018 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5piQFMGWmPFh for <oauth@core3.amsl.com>; Wed, 10 Feb 2010 21:06:11 -0800 (PST)
Received: from usps.sonoasystems.com (65.105.207.194.ptr.us.xo.net [65.105.207.194]) by core3.amsl.com (Postfix) with ESMTP id 60D6628C177 for <oauth@ietf.org>; Wed, 10 Feb 2010 21:06:11 -0800 (PST)
Received: from usps.sonoa.local ([10.20.0.244]) by usps.sonoa.local ([10.20.0.244]) with mapi; Wed, 10 Feb 2010 21:09:19 -0800
From: Greg Brail <gbrail@sonoasystems.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Wed, 10 Feb 2010 21:07:22 -0800
Thread-Topic: [OAUTH-WG] Which draft to use as a starting point for 'using a token'?
Thread-Index: AcqmNNn9ICKDZvAtSGS8T1z8KSpllwDbj7+QAExxZyA=
Message-ID: <48AE706BD74FCC4297AD778805CA46F6184C707B6F@usps.sonoa.local>
References: <ADB082E11CEB5D49A3CC03E49DCECE02378CB8868D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E723437DFDDE1DC@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723437DFDDE1DC@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Which draft to use as a starting point for 'using a token'?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2010 05:06:12 -0000
Like a lot of people, I think, things are moving along and we're trying to keep up. I do have a few more basic questions. Like it or not, the concept of a "consumer key" and "access token" is hard-wired into many developers' perceptions of OAuth, and a major difference between the two specs is that "ietf-oauth-authentication" retains both tokens and "http-token-auth" does not. Given that today's OAuth-based applications are relying on having two tokens on each request, how would this work if "ietf-oauth-authentication" were to be adopted? If a developer or API provider wishes to include some sort of "consumer key" on each request in addition to the token, how should that be accomplished? One option would be to simply say, "we don't care -- just make it an additional request parameter and call it what you want". But I think if that's the case then that has to be spelled out in the "release notes" for the new specs somehow. (And no, I don't know what the right mechanism is for that in IETF.) For instance, in a number of APIs I've been involved with recently, the "consumer key" from OAuth 1.0 is NOT an "equivalent to a username" as described in "ietf-oauth-authentication." Rather, it's used to uniquely identify the application that is calling an API. API providers usually wish to track not only the user making a request (which can be inferred from the token), but also which application was used and which developer wrote that application. A sophisticated back-end app can of course infer this information too from the token, but I don't know what kind of back-end changes would be required to make that happen for an existing API, nor do I know whether your typical API provider wishes to store that much state. Finally, I personally like "draft-hammer-http-token-auth" better because it is more straightforward in that there is only one token and no need to mess around with signing it by constructing a key made out of two keys, and so forth. I also like that there is some structure around the "WWW-Authenticate" response, and the option to sign the entire request body or leave it unsigned. Finally, finally this time, would it be possible to have a link to "draft-hammer-http-token-auth" on the main OAuth IETF page? Google works fine but still it'd help. greg -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, February 09, 2010 11:16 AM To: OAuth WG (oauth@ietf.org) Subject: Re: [OAUTH-WG] Which draft to use as a starting point for 'using a token'? No one cares? EHL > -----Original Message----- > From: Eran Hammer-Lahav > Sent: Thursday, February 04, 2010 11:29 PM > To: OAuth WG (oauth@ietf.org) > Subject: Which draft to use as a starting point for 'using a token'? > > On the call today I clarified what is going on with all the different drafts. In > brief: > > draft-hammer-oauth - documentation of the OAuth 1.0 Rev A (with changes) > protocol. This is done and should be approved by the IESG shortly for > publication. > > draft-ietf-oauth-authentication - the part of OAuth 1.0 dealing with 'how to > use a token after you obtain it'. > draft-ietf-oauth-web-delegation - the part of OAuth 1.0 rev A dealing with > 'getting a token'. > > draft-hammer-http-token-auth - an alternative proposal (meant to replace > draft-ietf-oauth-authentication) which builds on top of OAuth 1.0 but cleans > up the structure and removes the client credentials when accessing > protected resources. It also changes how the request is normalized into a > string before signing. > > We have three options for moving forward with 'how to use a token'. Start > with: > > 1. draft-ietf-oauth-authentication > 2. draft-hammer-http-token-auth > 3. something else* > > * Do not suggest something else unless you are going to submit a proposal. It > doesn't have to be an I-D, I am happy to do the editorial work but I will need > a detailed proposal that is enough to turn into a specification. > > Pick. > > EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Which draft to use as a starting point… Eran Hammer-Lahav
- Re: [OAUTH-WG] Which draft to use as a starting p… Eran Hammer-Lahav
- Re: [OAUTH-WG] Which draft to use as a starting p… Paul C. Bryan
- Re: [OAUTH-WG] Which draft to use as a starting p… Dick Hardt
- Re: [OAUTH-WG] Which draft to use as a starting p… Greg Brail
- Re: [OAUTH-WG] Which draft to use as a starting p… Eran Hammer-Lahav
- Re: [OAUTH-WG] Which draft to use as a starting p… Eran Hammer-Lahav