IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments

Mike Jones <Michael.Jones@microsoft.com> Wed, 12 October 2011 14:32 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA56C21F8B8B for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2011 07:32:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id orc2Q0n7svpg for <oauth@ietfa.amsl.com>; Wed, 12 Oct 2011 07:32:31 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCD021F8B91 for <oauth@ietf.org>; Wed, 12 Oct 2011 07:32:31 -0700 (PDT)
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.178) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 12 Oct 2011 07:32:25 -0700
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.142]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.01.0339.002; Wed, 12 Oct 2011 07:32:25 -0700
From: Mike Jones <Michael.Jones@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>, "Manger, James H" <James.H.Manger@team.telstra.com>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments
Thread-Index: AQHMTaLJnWCrafb4ZE+NLLSMK5FwXJU3E+0AgAAXvQCAQRHaAIAAgkWAgACa04D//+FBcA==
Date: Wed, 12 Oct 2011 14:32:25 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739435C238C90@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <20110727131700.23436.11568.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739434986822D@TK5EX14MBXC202.redmond.corp.microsoft.com> <CAC4RtVBx-WrxbXE-DxvEp3EsE3q6oEcrv9XWxteB11AjPMK3Hg@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E11289635128@WSMSG3153V.srv.dir.telstra.com> <1314767698.36186.YahooMailNeo@web31808.mail.mud.yahoo.com> <255B9BB34FB7D647A506DC292726F6E1128DB1DE6E@WSMSG3153V.srv.dir.telstra.com> <1318350042.89721.YahooMailNeo@web31810.mail.mud.yahoo.com> <255B9BB34FB7D647A506DC292726F6E1129072392A@WSMSG3153V.srv.dir.telstra.com> <4E955C01.40603@gmx.de>
In-Reply-To: <4E955C01.40603@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2011 14:32:31 -0000

Draft 09 allows either b64token or auth-params.  Unless there's a working group consensus that this must change, both syntax options will be supported.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Julian Reschke
Sent: Wednesday, October 12, 2011 2:21 AM
To: Manger, James H
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2-bearer-08.txt WGLC comments

On 2011-10-12 02:06, Manger, James H wrote:
>> > 2. The ABNF for <credentials> does not comply with RFC 2617 "HTTP
> Authentication".
>
>>  So where are we on this? Any progress?
>
> Some progress.
>
> draft-ietf-oauth-v2-bearer-09 defines the "Authorization: Bearer ..."
> request header to match draft-ietf-httpbis-p7-auth. It uses <b64token> 
> for the access token.
>
> The spec is not quite right as it also includes a comma-separated list 
> of name=value pairs <#auth-param> as another option for the header, 
> without any hint about how this works for the Bearer scheme.
>
> Still to do:
>
> Change
>
> credentials = "Bearer" 1*SP ( b64token / #auth-param )
>
> to
>
> credentials = "Bearer" 1*SP b64token
> ...

I'd like to point out that we added b64token in HTTPbis in order to grandfather Basic and Digest; it's really not designed for new schemes.

<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-16.html#rfc.section.2.3.1>
says:

"The "b64token" notation was introduced for compatibility with existing authentication schemes and can only be used once per challenge/credentials. New schemes thus ought to use the "auth-param" 
syntax instead, because otherwise future extensions will be impossible."

So be aware that by choosing b64token, you are closing the door for any kind of extensibility here. (Note that this isn't a matter of taste, but directly follows from syntax requirements for parsing the header field)

Best regards, Julian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email