IETF Logo Mail Archive

[OAUTH-WG] Facebook access_token vs OAuth 2.0 spec oauth_token inconsistency

Pelle Braendgaard <pelle@stakeventures.com> Thu, 29 April 2010 15:25 UTC

Return-Path: <pelleb@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A2D4C28C15C for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 08:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.623
X-Spam-Level:
X-Spam-Status: No, score=0.623 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRLAz3-6UCRn for <oauth@core3.amsl.com>; Thu, 29 Apr 2010 08:25:01 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id E11973A6BC0 for <oauth@ietf.org>; Thu, 29 Apr 2010 08:25:00 -0700 (PDT)
Received: by fxm4 with SMTP id 4so1247121fxm.31 for <oauth@ietf.org>; Thu, 29 Apr 2010 08:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=dzQz/oz/rUYBlM8tW9F39BinZi83Ni1mP6ayMKGbYQ0=; b=iQ5BA3bd0xk8syqqD8afRP+QLDtTteWBLe7adPphXzpFk0elDR3YoffiZ9qHtYvmIR Ceb5xxy/LJLZjUbPaWK3umFfB+AGKU4P0fz3WxV4q02OkInglZ7LFVAjNtJPwg5ZaxE3 ttx593dpsgZ2a07pCjyilSjHSWglZXYzt57ZA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=J6SeGyjEQzC5UJZl+s6w41hWAKywhpxTbuvH6D/+CjIZT7kyH0mPwPZ7H5KR+/54gM nkZg2I0sAAcJBPUZgjF8yLWQYqAXA5ircH8LNuP0a5CN63DvMM31Hjlt4wzFXc0Rt+O5 /SVaikksnVbxeqEiuw3y7sYmp8t3loqSQ1+J8=
MIME-Version: 1.0
Received: by 10.86.119.19 with SMTP id r19mr1641908fgc.76.1272554677578; Thu, 29 Apr 2010 08:24:37 -0700 (PDT)
Sender: pelleb@gmail.com
Received: by 10.223.111.205 with HTTP; Thu, 29 Apr 2010 08:24:37 -0700 (PDT)
Date: Thu, 29 Apr 2010 11:24:37 -0400
X-Google-Sender-Auth: bd0c81dce73bd92e
Message-ID: <k2tce1325031004290824w4cb24792n8c048832cc649821@mail.gmail.com>
From: Pelle Braendgaard <pelle@stakeventures.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Subject: [OAUTH-WG] Facebook access_token vs OAuth 2.0 spec oauth_token inconsistency
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2010 15:25:02 -0000

Just working on adding OAuth 2.0 support to the Ruby OAuth Plugin and
I noticed that the facebook documentations says to use the
access_token parameter like this:

  https://graph.facebook.com/me?access_token=...
(http://developers.facebook.com/docs/authentication/)

But in the specs it specifies that it should use the oauth_token
parameter http://tools.ietf.org/html/draft-hammer-oauth2-00#section-5.2.1
:

  When including the access token in the HTTP request URI, the client
   adds the access token to the request URI query component as defined
   by [RFC3986] using the "oauth_token" parameter.

  For example, the client makes the following HTTPS request:


     GET /resource?oauth_token=vF9dft4qmT HTTP/1.1
     Host: server.example.com

Does anyone know what the deal is. Will Facebook also support
oauth_token or will we have to support both types?

P

-- 
http://agree2.com - Reach Agreement!
http://extraeagle.com - Solutions for the electronic Extra Legal world
http://stakeventures.com - Bootstrapping blog

v2.23.0 | Report a Bug | By Email