IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: Dropping 'realm' parameter

Eran Hammer-Lahav <eran@hueniverse.com> Wed, 24 November 2010 16:36 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A2FB73A6983 for <oauth@core3.amsl.com>; Wed, 24 Nov 2010 08:36:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUcI1CRHNVYw for <oauth@core3.amsl.com>; Wed, 24 Nov 2010 08:36:49 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id A01333A6981 for <oauth@ietf.org>; Wed, 24 Nov 2010 08:36:49 -0800 (PST)
Received: (qmail 23452 invoked from network); 24 Nov 2010 16:37:48 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 24 Nov 2010 16:37:46 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 24 Nov 2010 09:37:39 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: John Kemp <john@jkemp.net>, "oauth@ietf.org" <oauth@ietf.org>
Date: Wed, 24 Nov 2010 09:37:27 -0700
Thread-Topic: [OAUTH-WG] Fwd: Dropping 'realm' parameter
Thread-Index: AcuL8/Ky02fNN6MnRPKx1Oh6nar49gAAc2zA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343D4AE3B21B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72343D4AE3B191@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTikLnwq4k-jTKXk1FccA_0Aag7Jv=VS-=ZQmLsHF@mail.gmail.com> <AANLkTi=nyt5-uJnit0idfbfm+zjuVFFkf81Bp7-kPea2@mail.gmail.com>
In-Reply-To: <AANLkTi=nyt5-uJnit0idfbfm+zjuVFFkf81Bp7-kPea2@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Fwd: Dropping 'realm' parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2010 16:36:50 -0000

This description of realm doesn't really fit into the OAuth model, as OAuth challenges are not meant for end users, but for clients. The problem with realm is that the existing experience (i.e. Basic) does not match OAuth. Realm does not improve interop because we can't figure out how to use it properly. Note that 'realm' will still be allowed if someone can figure out a useful way to use it. Currently, if you drop 'realm', nothing happens - that's not a good sign.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of John Kemp
> Sent: Wednesday, November 24, 2010 8:23 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Fwd: Dropping 'realm' parameter
> 
> Forgot to reply to all...
> 
> ---------- Forwarded message ----------
> From: John Kemp <john@jkemp.net>
> Date: Wed, Nov 24, 2010 at 11:22 AM
> Subject: Re: [OAUTH-WG] Dropping 'realm' parameter
> To: Eran Hammer-Lahav <eran@hueniverse.com>
> 
> 
> Hi Eran,
> 
> On Wed, Nov 24, 2010 at 2:57 AM, Eran Hammer-Lahav
> <eran@hueniverse.com> wrote:
> > Over the past year we had consensus that the WWW-Authenticate header
> field 'realm' parameter is both poorly defined and useless in OAuth. Realm
> does not provide a useful mechanism for the complexity of OAuth tokens
> and the relationship between the protected resource and authorization
> server.
> >
> > RFC 2617 language is cryptic at best with regard to when 'realm' is required.
> HTTPbis has an open issue (#177 [1]) for deciding what to do with 'realm'.
> >
> > Since 'realm' does not provide value for OAuth, and is only adding noise
> and confusion, I am removing it from -11. I'm passing the ball to the HTTPbis
> WG to figure out how to deal with it.
> 
> RFC2617 (section 3.2.1 of http://tools.ietf.org/html/rfc2617) says this when
> describing the realm parameter:
> 
>    'A string to be displayed to users so they know which username and
>     password to use. This string should contain at least the name of
>     the host performing the authentication and might additionally
>     indicate the collection of users who might have access. An example
>     might be "registered_users@gotham.news.com".'
> 
> Is it true then that realm provides no value for OAuth? The information
> contained there could be passed to users in some other way of course, if we
> assume that it will be done so by the authz service, and not by the client...
> But probably it would be nice if there was some interop around the display of
> the name of the service which is asking the user to grant access to protected
> resources.
> 
> Regards,
> 
> - John
> 
> >
> > My schedule has been very busy over the past few months and I was
> unable to complete -11 as planned. I will be publishing -11 this week no
> matter what shape the draft is in as it now includes many normative changes
> collected over the past few months.
> >
> > EHL
> >
> > [1] http://trac.tools.ietf.org/wg/httpbis/trac/ticket/177
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email