Re: [OAUTH-WG] OAuth 1 Bridge Flow

Luke Shepard <lshepard@facebook.com> Fri, 07 May 2010 05:52 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DB1B3A6BB4 for <oauth@core3.amsl.com>; Thu, 6 May 2010 22:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.968
X-Spam-Level:
X-Spam-Status: No, score=-2.968 tagged_above=-999 required=5 tests=[AWL=0.297, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8wTrtHzMXFzT for <oauth@core3.amsl.com>; Thu, 6 May 2010 22:52:04 -0700 (PDT)
Received: from mailout-sf2p.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 1E7083A6BE0 for <oauth@ietf.org>; Thu, 6 May 2010 22:44:07 -0700 (PDT)
Received: from mail.thefacebook.com ([192.168.18.104]) by pp02.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o475gbmL015452 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 6 May 2010 22:42:37 -0700
Received: from sc-hub06.TheFacebook.com (192.168.18.83) by sc-hub01.TheFacebook.com (192.168.18.104) with Microsoft SMTP Server (TLS) id 8.2.213.0; Thu, 6 May 2010 22:43:12 -0700
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub06.TheFacebook.com ([192.168.18.83]) with mapi; Thu, 6 May 2010 22:43:13 -0700
From: Luke Shepard <lshepard@facebook.com>
To: "Foiles, Doug" <Doug_Foiles@intuit.com>
Date: Thu, 6 May 2010 22:43:12 -0700
Thread-Topic: [OAUTH-WG] OAuth 1 Bridge Flow
Thread-Index: AcrtqC5l0tYK2yq3SnSzhIKhSdrnhw==
Message-ID: <98969167-FBAB-4FDE-BDBA-888AB08BB687@facebook.com>
References: <1272998796.6288.55.camel@localhost.localdomain> <C805F5EE.2DE86%atom@yahoo-inc.com> <BE42DBBC1969B541915E30C5517382D90484C368@SDGEXEVS07.corp.intuit.net>
In-Reply-To: <BE42DBBC1969B541915E30C5517382D90484C368@SDGEXEVS07.corp.intuit.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-05-07_01:2010-02-06, 2010-05-07, 2010-05-06 signatures=0
Cc: Marius, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 1 Bridge Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 05:52:10 -0000

On May 5, 2010, at 7:09 AM, Foiles, Doug wrote:

> I would expect our OAuth 1.0 services to have support for OAuth 1.0 and 2.0 for some period.  I don't think we could expect all our clients to move to OAuth 2.0 at once.  This is an interesting idea that allows clients to be able to cut over to OAuth 2.0 without users having to re-authenticate/authorize.
> 
> Why not just transfer the remaining session lifetime to the new access token (or refresh token if requested).  I would expect the scope to be transferred as well.  I would want our users to authorize any extended period.
> 

Yeah. Facebook's access tokens are literally just wrapping the old session tokens, so the access token preserves all the original properties. I expect many services that upgrade will likely use a similar approach.