Re: [OAUTH-WG] OAuth discovery draft?
Yaron Goland <yarong@microsoft.com> Wed, 23 June 2010 18:00 UTC
Return-Path: <yarong@microsoft.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B96393A6AED for <oauth@core3.amsl.com>; Wed, 23 Jun 2010 11:00:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RLIbthUdeIL for <oauth@core3.amsl.com>; Wed, 23 Jun 2010 11:00:17 -0700 (PDT)
Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id 80D853A6AEC for <oauth@ietf.org>; Wed, 23 Jun 2010 11:00:17 -0700 (PDT)
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.178) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 23 Jun 2010 11:00:24 -0700
Received: from TK5EX14MBXC117.redmond.corp.microsoft.com ([169.254.8.23]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.01.0160.007; Wed, 23 Jun 2010 11:00:24 -0700
From: Yaron Goland <yarong@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Thread-Topic: OAuth discovery draft?
Thread-Index: AQHLEbd88ANnc80E8EanM4mdFaHtZpKN3qcAgAH2zrA=
Date: Wed, 23 Jun 2010 18:00:21 +0000
Message-ID: <7C01E631FF4B654FA1E783F1C0265F8C579C6DC3@TK5EX14MBXC117.redmond.corp.microsoft.com>
References: <90C41DD21FB7C64BB94121FBBC2E72343B3EBB68D9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E1126427308C@WSMSG3153V.srv.dir.telstra.com> <90C41DD21FB7C64BB94121FBBC2E72343B3EC83F46@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343B3EC83F46@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth discovery draft?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jun 2010 18:00:18 -0000
I've been noodling [1] a lot about full delegation in OAuth [2] and one of the issues that came out of that was the need for discovering both the location and realm of an endpoint's token server. But at least for my use cases (which consist of walking up to a service and making an options request and getting back a www-authenticate header) all I need back is a realm and a token server URL. In other words just having one argument added to our www-authenticate header would be enough to solve the case where someone wants to walk up to a service and find out where its token server is. Does that really need its own spec? Or can we just add an argument to www-authenticate in the current spec? Thanks, Yaron [1] See http://www.goland.org/oauthgenericdelegation/ for an overview of my thinking on full delegation in OAuth. At the very end are links to a bunch of other much more in-depth articles on particular subjects touched on in the main article. [2] I define 'full delegation' as "User X of Service Y grants permission Z to User A of Service B". Currently OAuth requires X == A. In the future I hope to see extensions to OAuth that enable what I'm terming 'full delegation'. But personally I'm really happy that OAuth has the X==A restriction. It simplifies a whole host of issues and satisfies a really important use case. > -----Original Message----- > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Monday, June 21, 2010 9:50 PM > To: Manger, James H; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] OAuth discovery draft? > > Yes, it's on my desk and not yet ready, but I am working on one. It includes > your sites proposal among other things. I am trying to get the core spec > stable this week and focus on that next. > > EHL > > > -----Original Message----- > > From: Manger, James H [mailto:James.H.Manger@team.telstra.com] > > Sent: Monday, June 21, 2010 8:03 PM > > To: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > > Subject: OAuth discovery draft? > > > > Eran, > > > > There have been a few mentions recently of an OAuth discovery draft. > > Is there any such draft yet, or is this just a part that we know needs > > to be done? > > > > The email on "OAuth meeting notes on -05 (with updates)" said: > > > > >> 6.1.1. - describing the WWW-Authenticate response header > > >> > > >> - Discovery needed for various elements > > > > > > Yes. That's for the discovery draft. > > > > > > A wiki page on "Future OpenID Technical Requirements" > > <http://wiki.openid.net/Future-OpenID-Technical-Requirements> says: > > > > > 6) IdP Discovery > > > > > > * Much of this will be covered by OAuth2 Discovery, > > > however OIC may need to define OpenID specific features. > > >… > > > 17) Simpler discovery > > > > > > * See Eran's OAuth Discovery proposal > > > > > > There was an OAuth 1.0 Discovery draft over 2 years ago, but that is tagged: > > "expired", "marked as obsolete by its author", "discouraged from > > implementing", "no update is expected", "replaced by the OAuth 2.0 > effort". > > > > I know I should write a discovery draft myself. > > > > -- > > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth meeting notes on -05 (with updat… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth meeting notes on -05 (with u… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth meeting notes on -05 (with u… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth meeting notes on -05 (with u… Torsten Lodderstedt
- [OAUTH-WG] expires_in RE: OAuth meeting notes on … Axel.Nennker
- Re: [OAUTH-WG] expires_in RE: OAuth meeting notes… David Recordon
- Re: [OAUTH-WG] expires_in RE: OAuth meeting notes… Axel.Nennker
- Re: [OAUTH-WG] OAuth meeting notes on -05 (with u… William Mills
- Re: [OAUTH-WG] expires_in RE: OAuth meeting notes… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth meeting notes on -05 (with u… Eran Hammer-Lahav
- [OAUTH-WG] OAuth discovery draft? Manger, James H
- Re: [OAUTH-WG] OAuth discovery draft? Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth discovery draft? Yaron Goland
- Re: [OAUTH-WG] OAuth discovery draft? Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth discovery draft? Yaron Goland
- Re: [OAUTH-WG] OAuth discovery draft? Thomas Hardjono
- Re: [OAUTH-WG] OAuth meeting notes on -05 (with u… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth discovery draft? Yaron Goland
- Re: [OAUTH-WG] OAuth discovery draft? Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth discovery draft? Yaron Goland
- Re: [OAUTH-WG] OAuth discovery draft? William Mills
- Re: [OAUTH-WG] OAuth discovery draft? Yaron Goland
- Re: [OAUTH-WG] OAuth discovery draft? Eran Hammer-Lahav