Re: [OAUTH-WG] OAuth2 scheme
"William J. Mills" <wmills@yahoo-inc.com> Fri, 08 April 2011 01:59 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E43723A6834 for <oauth@core3.amsl.com>; Thu, 7 Apr 2011 18:59:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zxkq4maBgJ6K for <oauth@core3.amsl.com>; Thu, 7 Apr 2011 18:59:11 -0700 (PDT)
Received: from web32303.mail.mud.yahoo.com (web32303.mail.mud.yahoo.com [68.142.207.151]) by core3.amsl.com (Postfix) with SMTP id 6715E3A6824 for <oauth@ietf.org>; Thu, 7 Apr 2011 18:59:11 -0700 (PDT)
Received: (qmail 31319 invoked by uid 60001); 8 Apr 2011 02:00:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1302228053; bh=Pf0PeH4aciEkSiOcuu1hi+HvSLhuFmbMx3ZoEmAYqLI=; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=SfxH6hwiJwe25qhU4i0F19seeWJJxaOWTdlLR1k5TqjWH8kPbOQwFDkwFilqp6ffxhXcshWsi2oJEwEczGXRE+hhNpLicbs4K7moRlD8aCm8u6AnFTEMVD+oiIeqz+7jDZVsBLS3lV/9EriYOL4N1AlinbKIOmPr+vjo20yaRbY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=gHdKRdhGZY4ex2lrFhfUbWz9rSwSYJl7U57ep26jCcLsZsn3b+2tN9sWeTrzJ2x2ARVw+yxjJVo8YPO4n8UDv0aSSniVo6CARMJ65LZy8kHi9f4thpM79fE8AIvokd+u7EKL8k4Pp5y8zx5/6QY6wI0LMYbwL04bAdFOlsNKCGY=;
Message-ID: <249220.24403.qm@web32303.mail.mud.yahoo.com>
X-YMail-OSG: lLUTu5wVM1k96dv4qSQ5RVrt2qyYnH1vL1epvIT_4WHN3Kd XebprT.XcJZt15eo4Z9ReiBH43IyuK.LisML9zVmvkPJ6JOwSqTVNR3E_ccU QJ_EB2gH3_oELvNgKRn.qYxxuhgAFzBhdW5Yf7vSkcm0gwIvFZKvsZoVomZ5 o6mXLUW87k38D2QVbHlXpjq8XWA0wg1p5Qsl2DZmJRoLoFJ_bvKZadG0sq9Y YdenVPS7bRYVoOJpqc34gYZTFA240VAvfzTXaqjjQuVJW5HsxuFjeGk9ZXp4 apMXQ5cDvvwYQWrOnVGsK0M09wsJatJ1e3rZji1nPusnJBoH67.WDgwM2GJ9 OYKnkGQ1_v.w1kkRBGx7a7LWJ2ct5y.XqTscl6gOm
Received: from [216.145.52.206] by web32303.mail.mud.yahoo.com via HTTP; Thu, 07 Apr 2011 19:00:53 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.110.299900
References: <90C41DD21FB7C64BB94121FBBC2E7234465664E11D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <255B9BB34FB7D647A506DC292726F6E11281CAB8DB@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 07 Apr 2011 19:00:53 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>, OAuth WG <oauth@ietf.org>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E11281CAB8DB@WSMSG3153V.srv.dir.telstra.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-978235021-1302228053=:24403"
Subject: Re: [OAUTH-WG] OAuth2 scheme
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2011 01:59:15 -0000
In the SASL mechanism draft spec where we went with that is to use LINK headers. See http://tools.ietf.org/html/draft-mills-kitten-sasl-oauth-01 if you want to take a look. WWW-Authenticate headers return the supported authentication schemes and LINK headers tell you there are OAuth endpoints you can interact with. It's a swag at discovery in band, might work here too. ________________________________ From: "Manger, James H" <James.H.Manger@team.telstra.com> To: OAuth WG <oauth@ietf.org> Sent: Thursday, April 7, 2011 6:48 PM Subject: Re: [OAUTH-WG] OAuth2 scheme We should define a “WWW-Authenticate: OAuth2 …” response header – not to encompass the MAC, Bearer, and any other generic HTTP authentication scheme, but as a way for a server to tell the client that it can perform an OAuth2 get-a-token flow to gain access. When the sort of OAuth2 flow depends on the error with a current token (eg expired vs invalid) then the “WWW-Authenticate: OAuth2 …” response header needs to reflect this. It could do so be including an error code. A better, more direct, approach is to explicitly identify “refresh flow” and/or “user-delegation flow” and/or “assertion flow” etc. Bearer or OAuth2 WWW-Authenticate response header? The rule should be: #1. If the client can fix an error by sending an “Authorization: Bearer …” request header (or the query or POST alternative) then the server should return “WWW-Authenticate: Bearer …”. #2. If the client can fix an error by performing an OAuth2 flow at an authorization server then the resource server should return “WWW-Authenticate: OAuth2 …”. The server can return both response headers if both options are possible. There is no point in re-presenting a rejected Bearer token so #1 isn’t that useful. It could be appropriate if no token was presented as the client might have a token, but didn’t know this resource needed it. It might be appropriate if a client presented a token with insufficient scope as the client might have another token with the right scope so “WWW-Authenticate: Bearer scope=…” could help. #1 is not really necessary when a presented token is invalid or expired as the client needs to get a new one (eg using an OAuth2 flow that is outside the scope of the Bearer scheme). I don’t think an error code in a “WWW-Authenticate: Bearer …” response helps a client retry the request with a “Authorization: Bearer …” header that will work. An error code might help a client choose the right OAuth2 flow (eg refresh vs new user-delegation) so it might have a place in #2, a “WWW-Authenticate: OAuth2 …” response header. Eran said to Mike: > Alternatively, if you have use cases or requirements for introducing just the WWW-Authenticate side of an OAuth2 authorization scheme (your open issue), which includes an ‘error’ attribute for use with the proposed registry, please present those and explain how it will work alongside the Bearer and MAC schemes (as currently drafted). The “discovery” use-case in this email warrants the WWW-Authenticate side of an OAuth2 scheme. An error attribute (plus a registry) might help, but we need the rest of the details of the response header first. It works well alongside Bearer and MAC schemes: a “WWW-Auth.: OAuth2” response points to OAuth2 flows the client can try; a “WWW-Auth.: MAC/Bearer” response points to retrying a request with “Authz: MAC/Bearer”. Even when a client is given multiple options it will know which to choose based on its context (eg if it doesn’t have another Bearer token it will ignore the “WWW-Auth: Bearer” response and follow the “WWW-Auth: OAuth2” response). -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth2 scheme (was Error registry prop… Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth2 scheme Manger, James H
- Re: [OAUTH-WG] OAuth2 scheme William J. Mills
- Re: [OAUTH-WG] OAuth2 scheme Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth2 scheme Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth2 scheme Manger, James H
- Re: [OAUTH-WG] OAuth2 scheme William J. Mills
- Re: [OAUTH-WG] OAuth2 scheme Manger, James H
- Re: [OAUTH-WG] OAuth2 scheme Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth2 scheme Manger, James H