IETF Logo Mail Archive

Re: [OAUTH-WG] Mandatory-to-implement token type

Anthony Nadalin <tonynad@microsoft.com> Sun, 04 December 2011 09:36 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0C8821F845F for <oauth@ietfa.amsl.com>; Sun, 4 Dec 2011 01:36:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.467
X-Spam-Level:
X-Spam-Status: No, score=-3.467 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kh2DLi265hh8 for <oauth@ietfa.amsl.com>; Sun, 4 Dec 2011 01:36:57 -0800 (PST)
Received: from TX2EHSOBE002.bigfish.com (tx2ehsobe001.messaging.microsoft.com [65.55.88.11]) by ietfa.amsl.com (Postfix) with ESMTP id C0B9621F8468 for <oauth@ietf.org>; Sun, 4 Dec 2011 01:36:56 -0800 (PST)
Received: from mail157-tx2-R.bigfish.com (10.9.14.236) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Sun, 4 Dec 2011 09:36:53 +0000
Received: from mail157-tx2 (localhost [127.0.0.1]) by mail157-tx2-R.bigfish.com (Postfix) with ESMTP id 4E97A4C0534 for <oauth@ietf.org>; Sun, 4 Dec 2011 09:36:53 +0000 (UTC)
X-SpamScore: -47
X-BigFish: VS-47(zzbb2dK9371K542Mdf9M1432N1418M98dKzz1202h1082kzz1033IL8275dhz2fh2a8h683h839h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail157-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail157-tx2 (localhost.localdomain [127.0.0.1]) by mail157-tx2 (MessageSwitch) id 132299141335044_3818; Sun, 4 Dec 2011 09:36:53 +0000 (UTC)
Received: from TX2EHSMHS004.bigfish.com (unknown [10.9.14.253]) by mail157-tx2.bigfish.com (Postfix) with ESMTP id ECFF732022B for <oauth@ietf.org>; Sun, 4 Dec 2011 09:36:52 +0000 (UTC)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS004.bigfish.com (10.9.99.104) with Microsoft SMTP Server (TLS) id 14.1.225.22; Sun, 4 Dec 2011 09:36:53 +0000
Received: from AM1EHSOBE001.bigfish.com (157.54.51.112) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.2.247.5; Sun, 4 Dec 2011 01:36:49 -0800
Received: from mail69-am1-R.bigfish.com (10.3.201.250) by AM1EHSOBE001.bigfish.com (10.3.204.21) with Microsoft SMTP Server id 14.1.225.23; Sun, 4 Dec 2011 09:36:50 +0000
Received: from mail69-am1 (localhost [127.0.0.1]) by mail69-am1-R.bigfish.com (Postfix) with ESMTP id A43CE6C0423 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Sun, 4 Dec 2011 09:36:49 +0000 (UTC)
Received: from mail69-am1 (localhost.localdomain [127.0.0.1]) by mail69-am1 (MessageSwitch) id 1322991409404092_19957; Sun, 4 Dec 2011 09:36:49 +0000 (UTC)
Received: from AM1EHSMHS008.bigfish.com (unknown [10.3.201.248]) by mail69-am1.bigfish.com (Postfix) with ESMTP id 55B96140043; Sun, 4 Dec 2011 09:36:49 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by AM1EHSMHS008.bigfish.com (10.3.207.108) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 4 Dec 2011 09:36:49 +0000
Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.10.183]) by BL2PRD0310HT001.namprd03.prod.outlook.com ([10.255.97.36]) with mapi id 14.16.0094.000; Sun, 4 Dec 2011 09:36:47 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [OAUTH-WG] Mandatory-to-implement token type
Thread-Index: AQHMpQL0Sb85EJbey0aMx4cOTKVJd5XH3D0AgAABeQCAABrqAIAAXtYAgAJmFACAAFCYgIAAeAmw
Date: Sun, 04 Dec 2011 09:36:46 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E73BFB1FF2@BL2PRD0310MB362.namprd03.prod.outlook.com>
References: <CALaySJJ+2au5rxEQmSSpXO42KmgCu=NhiLPBCx-3AH0hud=5CQ@mail.gmail.com> <CAH-8B6sjim_tcBkTPFWc1SnjhtHDQTR7sVT+aOjnYv7cs8JssA@mail.gmail.com> <4ED82D62.3070800@cs.tcd.ie> <CALaySJLKYLpPWc14_GUJKc5j1E3QovKQOx9HsdR-n2YV7kstpQ@mail.gmail.com> <4ED89384.9060603@cs.tcd.ie> <CAC4RtVBQdV+dwhzK903nkeNhsKzrHNFPYMK+EZtxRXnHWGs68w@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7576DF@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [62.50.245.48]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT001.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%CS.TCD.IE$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2011 09:36:57 -0000

I agree we have no plans to implement MAC if we wanted that we would have been happy with OAUTH 1.0a but that was not deployable

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Saturday, December 03, 2011 6:26 PM
To: Barry Leiba; Stephen Farrell
Cc: oauth WG
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type

I strongly object to a mandatory-to-implement clause for the MAC scheme.  They are unnecessary and market forces have shown that implementers do not want or need this kind of an authentication scheme.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Barry Leiba
Sent: Saturday, December 03, 2011 1:38 PM
To: Stephen Farrell
Cc: oauth WG
Subject: Re: [OAUTH-WG] Mandatory-to-implement token type

Stephen says:
> On 12/02/2011 03:20 AM, Barry Leiba wrote:
>> Maybe what would work best is some text that suggests what I say
>> above: that toolkits intended for use in implementing OAuth services 
>> in general... implement [X and/or Y], and that code written for a 
>> specific environment implement what makes sense for that environment.
>> It seems to me that to require any particular implementation in the 
>> latter case is arbitrary and counter-productive, and doesn't help 
>> anything interoperate.  Whereas general-purpose toolkits that 
>> implement everything DO help interop.
>
> That'd work just fine for me.

OK, so here's what I suggest... I propose adding a new section 7.2, thus:

-----------------------------------
7.2 Access Token Implementation Considerations

Access token types have to be mutually understood among the authorization server, the resource server, and the client -- the access token issues the token, the resource server validates it, and the client is required to understand the type, as noted in section 7.1, above.  Because of that, interoperability of program code developed separately depends upon the token types that are supported in the code.

Toolkits that are intended for general use (for building other clients and/or servers), therefore, SHOULD implement as many token types as practical, to ensure that programs developed with those toolkits are able to use the token types they need.  In particular, all general-use toolkits MUST implement bearer tokens [...ref...] and MAC tokens [...ref...].

Purpose-built code, built without such toolkits, has somewhat more flexibility, as its developers know the specific environment they're developing for.  There's clearly little point to including code to support a particular token type when it's known in advance that the type in question will never be used in the intended deployment.
Developers of purpose-built code are encouraged to consider future extensions and to plan ahead for changes in circumstances, and might still want to include support for multiple token types.  That said, the choice of token-type support for such purpose-built code is left to the developers and their specific requirements.
-----------------------------------

I think that expresses a reasonable compromise that might actually be followed and might actually do some good.  Comments?  Can we go with this and close this issue?  (And, sorry, I've been a Bad Chair, and haven't put this in the tracker.)

Barry
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email