Re: [OAUTH-WG] Token Access Authentication Scheme Draft
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 04 February 2010 07:42 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 697A528C145 for <oauth@core3.amsl.com>; Wed, 3 Feb 2010 23:42:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.136
X-Spam-Level:
X-Spam-Status: No, score=-2.136 tagged_above=-999 required=5 tests=[AWL=-0.137, BAYES_00=-2.599, J_CHICKENPOX_45=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwmmw53pQrPe for <oauth@core3.amsl.com>; Wed, 3 Feb 2010 23:42:25 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 2A75F28C130 for <oauth@ietf.org>; Wed, 3 Feb 2010 23:42:25 -0800 (PST)
Received: (qmail 8185 invoked from network); 4 Feb 2010 07:43:08 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 4 Feb 2010 07:43:08 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Thu, 4 Feb 2010 00:43:00 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Dan Winship <dan.winship@gmail.com>
Date: Thu, 04 Feb 2010 00:42:42 -0700
Thread-Topic: [OAUTH-WG] Token Access Authentication Scheme Draft
Thread-Index: Acp4OJTdeQYtySL6T36DU+nkRu6m1gtG8XNg
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437DFBA2DA8@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234378529390D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4B1EA213.2040902@gmail.com>
In-Reply-To: <4B1EA213.2040902@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Access Authentication Scheme Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2010 07:42:26 -0000
Thanks Dan. > -----Original Message----- > From: Dan Winship [mailto:dan.winship@gmail.com] > Sent: Tuesday, December 08, 2009 11:00 AM > If Token/OAuth is not intended for use with Proxy-Authenticate/Proxy- > Authorization, then you should say that explicitly near the beginning, and if > not, then everywhere you say "WWW-Authenticate" or "Authorization", you > need to allow for the proxy versions as well. (Maybe just by saying > "whenever I say WWW-Authenticate, I mean 'either WWW-Authenticate or > Proxy-Authenticate'.") I'll get to this if this draft ever makes it to the other side. > I know you said you don't care about typos, but "OWF" should be "OWS". > > "rsassa-pkcs1-v1.5-sha-256" is way too long a name. :) Trying to be descriptive. The current RSA-SHA1 means nothing without reading the spec (it might as well be 'R1'). > The grammar for method-list says > > method-list = "method" "=" <"> 1#method-name <"> > > where "1#method-name" in RFC2616 ABNF means a comma-delimited list of > method-name. But the text (4.2) and the example quoted above use a > space-delimited list. (Likewise with coverage-list.) Right. I wanted it to be space-delimited. > The first paragraph of section 5 seems to say that clients MUST include a > Authorization header when requesting a protected resource even if they > don't know that it's protected. :) Changed to 'when making an authenticated request'. > In theory, the information in the Authentication-Error response could just be > included in WWW-Authenticate... I am actually going to try and use Authentication-Info (expending its use beyond Digest and making it applicable for errors, not just success). Keeping this in a separate header makes it easier I think to parse the challenge. No strong feelings here. > If error-message is supposed to be localized then you should allow for the > RFC 2183 grammar (or eventually, the grammar from the RFC that draft- > reschke-rfc2183-in-http becomes). OK. > The "normalized request string" says it includes both the hostname and the > request URI, which would be redundant. Maybe when you say "request > resource URI" you mean just the Request-URI production from the Request- > Line (ie, the path+query), not the actual complete request URI? Yeah, that's what I mean. > You should clarify that. Although if the user is behind a proxy then the > Request-URI will be a complete URI rather than just the path+query. So you > might want to say something like "the path and query components of the > request URI, as they appear in the Request-Line"? The request Request-URI exactly as it appears on HTTP Request-Line as defined by RFC2616> section 5.1.2. > There have been interoperability problems with Digest auth digest > computation because people weren't sure if the quotes around attribute > values were considered part of the value or not when computing the hash. > You should be explicit. We didn't get this one in OAuth 1.0 (plenty of other issues)... seems like an odd thing to fail on. I'll note it. > "Any authentication attribute, with the exception of the "auth", which is > assigned a value (including default values), are added to the normalized > request string as follows" is hard to understand. I think what you mean is > "Any attribute which is present in the Authorization header, with the > exception of "auth", is added to the normalized request string as follows". Ok. > Hm... although 7.1 seems to suggest something else. > I'm not at all sure what attributes are supposed to be included in the > normalized request string now. Fixed. > Would probably be good to have an example of computing the string. If this makes it to the other side, I'll add plenty of examples in the spirit of draft-hammer-oauth. EHL
- [OAUTH-WG] Token Access Authentication Scheme Dra… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… Stephen Farrell
- Re: [OAUTH-WG] Token Access Authentication Scheme… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… Stephen Farrell
- Re: [OAUTH-WG] Token Access Authentication Scheme… Brian Eaton
- Re: [OAUTH-WG] Token Access Authentication Scheme… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… Dan Winship
- Re: [OAUTH-WG] Token Access Authentication Scheme… John Panzer
- Re: [OAUTH-WG] Token Access Authentication Scheme… Brian Eaton
- Re: [OAUTH-WG] Token Access Authentication Scheme… Manger, James H
- Re: [OAUTH-WG] Token Access Authentication Scheme… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… Manger, James H
- Re: [OAUTH-WG] Token Access Authentication Scheme… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… Eran Hammer-Lahav
- Re: [OAUTH-WG] Token Access Authentication Scheme… John Panzer