Re: [OAUTH-WG] OAuth 1 Bridge Flow

Luke Shepard <> Fri, 07 May 2010 05:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 803B128C134 for <>; Thu, 6 May 2010 22:49:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[AWL=-1.033, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bBrcdxWgOlM0 for <>; Thu, 6 May 2010 22:49:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 44AA428C13A for <>; Thu, 6 May 2010 22:40:06 -0700 (PDT)
Received: from ([]) by (8.14.3/8.14.3) with ESMTP id o475dO45027511 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 6 May 2010 22:39:30 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 6 May 2010 22:39:42 -0700
Received: from ([]) by ([]) with mapi; Thu, 6 May 2010 22:39:43 -0700
From: Luke Shepard <>
To: Allen Tom <>
Date: Thu, 6 May 2010 22:39:42 -0700
Thread-Topic: [OAUTH-WG] OAuth 1 Bridge Flow
Thread-Index: Acrtp7Gqn4HtxwwHTiWmm+aBg8EwhQ==
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-05-07_01:2010-02-06, 2010-05-07, 2010-05-06 signatures=0
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] OAuth 1 Bridge Flow
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 May 2010 05:49:01 -0000

Obviously if a service adopts OAuth 2.0, they should continue supporting their old method of login - Facebook will no doubt continue to support its old method of MD5 sigs for a long time, so as not to break apps in the wild.

But if a user has already authorized your app, and you WANT to use OAuth 2.0 but you have an old token, then you should be able to silently exchange an OAuth 1.0 token for an access token without asking the user for permission. That's the flow Marius proposed.

To Marius:
> Are the issued OAuth 2.0 access tokens short lived? Is "expires" a
> delta or an absolute time?

Our access tokens, like our session keys, can be either short lived (1 hour) or long lived (basically infinite). In practice, though, we don't expect people to go to the effort of exchanging a short-lived token - after exchange, the new token has the same expiration as the original. It looks like we are using an absolute time when we should be doing a delta, good catch.

On May 4, 2010, at 4:03 PM, Allen Tom wrote:

> Although we have not formally announced any plans to support OAuth2 yet, I
> would expect that Yahoo would be able to simultaneously support both Oauth
> 1.0a and OAuth2 without requiring clients to upgrade their existing Oauth
> 1.0a credentials for OAuth2.
> Note: Yahoo currently requires the Session Extension, so all of our Access
> Tokens are valid for one hour. The OAuth2 Refresh Token is equivalent to the
> Session Extension's "Auth Session Handle"
> Allen
> On 5/4/10 11:46 AM, "Justin Richer" <> wrote:
>> Interesting work. So as each app upgrades its support from OAuth1 to
>> OAuth2, it exchanges its old tokens for new ones once for each user,
>> right? Then the app in question is effectively going to have to speak
>> both flavors of OAuth to do this one-time upgrade. I always assumed that
>> apps would just have to get new OAuth2 access tokens by going back to
>> the user (since tokens are cheap), but I can definitely see value in
>> there being a clean upgrade path, especially for wide deployments.
>> Because the other side of things, what would it take an implementor to
>> have a backwards-compatible system? Since the OAuth2 protocol is by
>> design not backwards compatible (though the signature-based web flows
>> are all the same spirit as 1.0a, all the parameter names are different),
>> I'm thinking that one would need either parallel endpoints or a proxy of
>> some kind that works almost like that which was proposed here, but on an
>> ongoing basis. 
>> -- Justin
>> On Tue, 2010-05-04 at 13:26 -0400, Marius Scurtescu wrote:
>>> Hi,
>>> I would like to suggest a flow, or endpoint, that is bridging OAuth 1
>>> and OAuth 2. See the attachment.
>>> The OAuth 1 Bridge Flow basically defines an endpoint where you can
>>> place a signed OAuth 1 request and in response you receive a short
>>> lived OAuth 2.0 access token. This flow can be used by clients that
>>> have a long lived OAuth 1.0 access token and want to use a short lived
>>> OAuth 2.0 access token to access protected resources.
>>> Do you have a use case for a flow like this? If not exactly but close,
>>> how can the flow be improved to cover your use case as well?
>>> Feedback more than welcome.
>>> Thanks,
>>> Marius
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list