Re: [OAUTH-WG] consistency of token param name in bearer token type
David Recordon <recordond@gmail.com> Wed, 15 June 2011 01:30 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE68A1F0C55 for <oauth@ietfa.amsl.com>; Tue, 14 Jun 2011 18:30:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LAWAtlhH7q7 for <oauth@ietfa.amsl.com>; Tue, 14 Jun 2011 18:30:17 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4A3911F0C52 for <oauth@ietf.org>; Tue, 14 Jun 2011 18:30:17 -0700 (PDT)
Received: by vws12 with SMTP id 12so7118352vws.31 for <oauth@ietf.org>; Tue, 14 Jun 2011 18:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=VFSHc25xSxLi2wfOAokOvt8CFoEFa37BElS20xieur8=; b=Eo59xz5Q1pb37BViD+jvVhk8KJQZynxig/jSMETsxmMe80N3QnYPYQEt/o2yU9ZoU7 drUh1IBAvx3R0EZj+s2Zwm3Y2r64OW59yrMxEIjim57OgGCI6dJXt9Z0hHuwK5wJfoHy rtlHiX9QUDQOOshxgjd9J6lSYkcEaMVkc/eAI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=fTX/hWSA/tqeTDSop6QUG4Dl7z6kQ6h9YA6Uf2uK8/2WP7+vxGDfmYoNMg4IWDODIX S8nW3yiC3bHth+EB5Vf3xduSn88+4ysNkbOze9XmituCR2LDMrQPScHH8jDC7e4OOPXt yTrz6lcBkvt4ghuDwjb169lr/ne/5xpYOh0zE=
MIME-Version: 1.0
Received: by 10.52.101.195 with SMTP id fi3mr741906vdb.156.1308101415276; Tue, 14 Jun 2011 18:30:15 -0700 (PDT)
Received: by 10.52.162.195 with HTTP; Tue, 14 Jun 2011 18:30:15 -0700 (PDT)
In-Reply-To: <4DF77A50.8080403@dehora.net>
References: <BANLkTim1VRggQ8W-7WHVcXboOaPr-RcN_A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943380F6A46@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTimQkzW7r-GV7cu67W4Doo7q9JZLnw@mail.gmail.com> <4DE541B5.6080605@aol.com> <BANLkTikMp-=EO9jwdyGFm8=COr_MsSEjbw@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739433810E906@TK5EX14MBXC203.redmond.corp.microsoft.com> <BANLkTim9Rr3eCM=aLoub+NfPX4QQ6=F3vw@mail.gmail.com> <BANLkTikmLCe5Ztsu3qrw_TasmyN5Gya47Q@mail.gmail.com> <4DF206E7.3040401@aol.com> <90662920-6576-4DA7-B6B6-80C83FDB1E15@jkemp.net> <4DF21800.9090302@aol.com> <133A769C-7B4F-4C36-BDCC-E1D4CAB8D256@jkemp.net> <BANLkTinjOkG+G56sN0qdOvRr6v5NboK=hA@mail.gmail.com> <4DF77A50.8080403@dehora.net>
Date: Tue, 14 Jun 2011 18:30:15 -0700
Message-ID: <BANLkTi=J_a=Z9HPA=_JKWHSgg09Ky7OyxQ@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Bill <bill@dehora.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] consistency of token param name in bearer token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 01:30:18 -0000
Bearer token doesn't exist within the core spec around getting an access token. The term that is used is "access token". On Tue, Jun 14, 2011 at 8:12 AM, Bill <bill@dehora.net> wrote: > On 10/06/11 17:45, David Recordon wrote: >> >> I think it's vital to have the GET and POST parameters make sense to >> every developer. I worry less about the authorization header since a >> developer implementing it will honestly be a stronger engineer. > > I agree with David regardless of engineering strength, this is going to be > confusing to developers. Also tho', devs are exposed to the access token > response, not just the GET/POST bits. So ideally syntax would line up with > how the token is obtained > http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-5.1 and not just > across requests using the token. > > A possible clarifying change is to use something like "bearer_token" end to > end. > > [[[ > { > "access_token":"vF9dft4qmT", > "token_type":"bearer_token", /* ? */ > ... > } > > > GET /resource HTTP/1.1 > Host: server.example.com > Authorization: bearer_token vF9dft4qmT > > > GET /resource?bearer_token=vF9dft4qmT&... > Host: server.example.com > > > POST /resource > Host: server.example.com > Content-Type: application/x-www-form-urlencoded > > &bearer_token=vF9dft4qmT&... > > > HTTP/1.1 401 Unauthorized > WWW-Authenticate: bearer_token realm="example" > ]]] > > > Bill > > >> Here's what I said earlier in the thread about my motivation: >>> >>> Did a full read through of draft 16 and the bear token spec with Paul >>> yesterday afternoon in order to do a manual diff from draft 10. The >>> point Doug raised was actually confusing. Throughout the core spec >>> it's referred to as access_token but then becomes bearer_token upon >>> use. >>> >>> Just thinking through this from a developer documentation perspective, >>> it's going to become confusing. Developer documentation focuses on >>> getting an access token and then using that access token to interact >>> with an API. Thus the code you're writing as a client developer will >>> use variables, cache keys, and database columns named `access_token`. >>> But then when you're going to use it, you'll need to put this access >>> token into a field named bearer_token. >>> >>> Feels quite a bit simpler to just name it access_token. Realize the >>> core spec never did this since we didn't want to trample on protected >>> resources which might already have a different type of access_token >>> parameter. oauth_token was a good compromise since developers would >>> already know that they were using OAuth and thus a new term wasn't >>> being introduced. That's no longer true with bearer_token since 99% of >>> developers will have never heard of a bearer token. >>> >>> Googling for "bearer token" turns up Eran's blog post titled "OAuth >>> Bearer Tokens are a Terrible Idea" and there isn't a single result on >>> the first page which explains what they are. Binging for "bearer >>> token" is equally scary. >> >> --David >> >> >> On Fri, Jun 10, 2011 at 9:34 AM, John Kemp<john@jkemp.net> wrote: >>> >>> George, >>> >>> On Jun 10, 2011, at 4:11 PM, George Fletcher wrote: >>> >>>> I definitely don't want to change the Authorization header naming >>>> scheme. I believe it should stay 'Bearer' because that's what the token is. >>>> We could make it... >>>> >>>> Authorization: Bearer access_token=vF9dft4qmT >>>> >>>> If that helps with consistency. >>> >>> Well, it might seem more consistent, but I'm not sure it's worthwhile to >>> make the change just for that reason. >>> >>> Is it possible that the Bearer HTTP mechanism would ever take multiple >>> parameters? In which case, having the ability to name the parameters of the >>> Bearer mechanism might become more interesting. >>> >>> - John >>> >>>> I don't think we should be associating the term 'access_token' with the >>>> bearer security mechanism. >>>> >>>> Thanks, >>>> George >>>> >>>> On 6/10/11 8:35 AM, John Kemp wrote: >>>>> >>>>> What does this mean for the HTTP Authorization header naming scheme for >>>>> bearer tokens? >>>>> >>>>> As I understand this decision, we are discussing whether to standardize >>>>> on the name "access_token" when a bearer token is sent as either a URL query >>>>> parameter, or in a form POSTed body? >>>>> >>>>> Currently the HTTP Authorization header looks like this (from >>>>> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-05 >>>>> ): >>>>> >>>>> GET /resource HTTP/1.1 >>>>> Host: server.example.com >>>>> Authorization: Bearer vF9dft4qmT >>>>> >>>>> Is the proposal then that we have: >>>>> >>>>> 1. GET /resource?access_token=vF9dft4qmT >>>>> 2. POST /resource >>>>> >>>>> access_token=vF9dft4qmT&... >>>>> >>>>> 3. >>>>> >>>>> GET /resource HTTP/1.1 >>>>> Host: server.example.com >>>>> Authorization: access_token vF9dft4qmT >>>>> >>>>> Can someone actually give the details of the proposal, or >>>>> agree/disagree with the examples above? >>>>> >>>>> - John >>>>> >>>>> On Jun 10, 2011, at 2:58 PM, George Fletcher wrote: >>>>> >>>>> >>>>>> Yes, that's fine with me. >>>>>> >>>>>> Thanks, >>>>>> George >>>>>> >>>>>> On 6/10/11 4:20 AM, David Recordon wrote: >>>>>> >>>>>>> George, Doug and Eran are you alright with the Bearer token spec >>>>>>> using >>>>>>> the parameter name "access_token" as well? >>>>>>> >>>>>>> >>>>>>> On Wed, Jun 8, 2011 at 4:50 PM, Marius Scurtescu >>>>>>> >>>>>>> <mscurtescu@google.com> >>>>>>> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>>> On Wed, Jun 1, 2011 at 1:14 PM, Mike >>>>>>>> Jones<Michael.Jones@microsoft.com> >>>>>>>> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>>> If you can drive a consensus decision for the name "access_token", >>>>>>>>> I'd be glad to change the name in the spec. I agree that the current names >>>>>>>>> are confusing for developers. >>>>>>>>> >>>>>>>>> >>>>>>>> At Google we are getting the same feedback, that it is confusing for >>>>>>>> developers. It would definitely help if we could change the name to >>>>>>>> "access_token". >>>>>>>> >>>>>>>> Marius >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] consistency of token param name in bea… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Mike Jones
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… George Fletcher
- Re: [OAUTH-WG] consistency of token param name in… John Kemp
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Marius Scurtescu
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Stephen Farrell
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… David Recordon
- Re: [OAUTH-WG] consistency of token param name in… Bill
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… John Bradley
- Re: [OAUTH-WG] consistency of token param name in… William J. Mills
- Re: [OAUTH-WG] consistency of token param name in… Lodderstedt, Torsten
- Re: [OAUTH-WG] consistency of token param name in… KIHARA, Boku
- Re: [OAUTH-WG] consistency of token param name in… Doug Tangren
- Re: [OAUTH-WG] consistency of token param name in… Justin Richer
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Eran Hammer-Lahav
- Re: [OAUTH-WG] consistency of token param name in… Torsten Lodderstedt
- Re: [OAUTH-WG] consistency of token param name in… Manger, James H