IETF Logo Mail Archive

Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)

"Richer, Justin P." <jricher@mitre.org> Mon, 10 May 2010 13:06 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 463A93A68AB for <oauth@core3.amsl.com>; Mon, 10 May 2010 06:06:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.343
X-Spam-Level:
X-Spam-Status: No, score=-4.343 tagged_above=-999 required=5 tests=[AWL=-0.344, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXjwe2vL95aD for <oauth@core3.amsl.com>; Mon, 10 May 2010 06:06:39 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id DD5993A68A0 for <oauth@ietf.org>; Mon, 10 May 2010 06:06:37 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o4AD6Q9T018915 for <oauth@ietf.org>; Mon, 10 May 2010 09:06:26 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o4AD6Q7x018904; Mon, 10 May 2010 09:06:26 -0400
Received: from IMCMBX3.MITRE.ORG ([129.83.29.206]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Mon, 10 May 2010 09:06:26 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Mon, 10 May 2010 09:06:25 -0400
Thread-Topic: Open Issues: Group Survey (respond by 5/13)
Thread-Index: Acrvu4cfH3LKPgwRQV+7sW5YxUA1vAAhEOhM
Message-ID: <D24C564ACEAD16459EF2526E1D7D605D0C8D22ED64@IMCMBX3.MITRE.ORG>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3AB46E1C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Open Issues: Group Survey (respond by 5/13)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2010 13:06:40 -0000

1. Server Response Format
  A. Form-encoded only (original draft)
  B. JSON only (current draft)
  C. JSON as default with form-encoded and XML available with an optional request parameter

Vote for C, to be specified as: "Server MUST support JSON, form-encoded, and XML. Client MAY request any of the three, specified by a "format" parameter. Server will respond with JSON unless requested otherwise. Generic client libraries SHOULD support all three." Other formats (say, LISP s-expressions or Java Properties File format) can be specified through extensions that define the encoding and the value of the "format" parameter to match. Generation of valid data in these three formats is a much simpler problem than parsing, so I'd wager this isn't much of an imposition on the servers. Personally, I always found the form-encoded response a little strange, though I agree with the notion of "keep it as simple as possible". 




---

2. Client Authentication (in flows)
   A. Client authenticates by sending its credentials using special parameters (current draft)
   B. Client authenticated by using HTTP Basic (or other schemes supported by the server such as Digest)


Option A is absolutely still needed. I agree with Dick that OAuth should be self-contained wherever possible. But that said, I can see value in something like B as well for some deployments. I propose that we actually define a new flow for these cases, but instead of specifying Basic or Digest, we simply say that the client authenticates to the server using some out-of-band authentication method. It expected by the OAuth bits that the AS knows who the client represents by the time the request gets there. However the AS figures that out can effectively be outside the realm of OAuth, which gives us the ability to leverage Basic/Digest or other means (maybe even other OAuth tokens?) to accomplish this.

 -- Justin

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email