IETF Logo Mail Archive

Re: [OAUTH-WG] Change grant_type="none" to something less confusing

Eran Hammer-Lahav <eran@hueniverse.com> Sat, 17 July 2010 18:50 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A132B3A68AD for <oauth@core3.amsl.com>; Sat, 17 Jul 2010 11:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.492
X-Spam-Level:
X-Spam-Status: No, score=-2.492 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KZbZm6Qcfc0 for <oauth@core3.amsl.com>; Sat, 17 Jul 2010 11:50:06 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 4AF833A67D3 for <oauth@ietf.org>; Sat, 17 Jul 2010 11:50:05 -0700 (PDT)
Received: (qmail 31900 invoked from network); 17 Jul 2010 18:50:17 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 17 Jul 2010 18:50:17 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sat, 17 Jul 2010 11:50:17 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Luke Shepard <lshepard@facebook.com>, Brian Eaton <beaton@google.com>
Date: Sat, 17 Jul 2010 11:50:15 -0700
Thread-Topic: [OAUTH-WG] Change grant_type="none" to something less confusing
Thread-Index: AcslLStlY2bWOda0k0GQasbZ66+p+QAQ5ccAACSCKIAACHmbyw==
Message-ID: <C8674977.374B1%eran@hueniverse.com>
In-Reply-To: <AA83846D-1817-4B51-9F3E-CA9DD91862D6@facebook.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C8674977374B1eranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Change grant_type="none" to something less confusing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2010 18:50:13 -0000

The use case is pretty simple: the user uses the server and approves a third party site access to their data directly (i.e. They are not sent to the server from the client, but just use the server). The third part then uses their client credentials to request a token. That token has access to whatever data was authorized previously by any user on the server side. This is still a client-only flow, but the grant isn't just for the client's own resources, but to whatever has been authorized to that client.

All I was trying to say was that when the client uses client credentials alone, it can access resources beyond those under its control (i.e. Its own resources) if such grant was previously arranged. For example, I think FireEagle had an API to ask if any of the users who authorized a client have changed location since last time the client checked. That was done using a client-only token, but it provided some information about individual users (which one was updated).

IOW, the client-credentials flow is not limited to cases where the client is also the resource owner. The client can also access other resources as authorized.

EHL


On 7/17/10 8:52 AM, "Luke Shepard" <lshepard@facebook.com> wrote:

Facebook does need to implement this - formerly the "client_cred" flow. We need apps to be able to interact directly with the service without a user involved.

As far as consistency, it is just a little weird to call it "client password" in one part of the spec, when it's defined as "client secret" elsewhere. We wouldn't call it the "client secret" flow because the client secret is used in other flows; I think the same argument applies to the term "client password".

How about just "client_only" ? Eran, I don't think I understand the other use cases you're talking about.

On Jul 16, 2010, at 3:27 PM, Brian Eaton wrote:

> I withdraw my question.  David might not be interested in implementing
> the client password flow, but he is certainly interested in
> implementing other flows that involve the client password term.  So
> he's entitled to an opinion on what color the client password bike
> shed should be painted. =)
>
> (David, no offense, I'm just trying to stick by my guns on the whole
> "stop screwing up the spec by merging separate use cases into single
> flows" thing...)
>
> On Fri, Jul 16, 2010 at 2:23 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>> And that matters how?
>>
>> EHL
>>
>>
>>
>> On Jul 16, 2010, at 16:57, "Brian Eaton" <beaton@google.com> wrote:
>>
>>> On Fri, Jul 16, 2010 at 1:37 PM, David Recordon <recordond@gmail.com> wrote:
>>>> I've always found "client password" to be a confusing term.
>>>
>>> Are you going to support this flow at all...?
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.35.0 | Report a Bug | By Email | System Status