Re: [OAUTH-WG] First draft of OAuth 2.0
Dick Hardt <dick.hardt@gmail.com> Wed, 24 March 2010 05:26 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 336553A6D0D for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 22:26:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.317
X-Spam-Level:
X-Spam-Status: No, score=-0.317 tagged_above=-999 required=5 tests=[AWL=1.152, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UhckvCxCdVsc for <oauth@core3.amsl.com>; Tue, 23 Mar 2010 22:26:34 -0700 (PDT)
Received: from mail-px0-f183.google.com (mail-px0-f183.google.com [209.85.216.183]) by core3.amsl.com (Postfix) with ESMTP id 39EF73A6D5D for <oauth@ietf.org>; Tue, 23 Mar 2010 22:21:45 -0700 (PDT)
Received: by pxi13 with SMTP id 13so3974297pxi.17 for <oauth@ietf.org>; Tue, 23 Mar 2010 22:21:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=roxGo6ee9KsASu697YfKVD7hLiAE9pWlnXEIdOtF4Fw=; b=FUY4sPKIDlo05m3OkuG1DNVB9meGotSYbLXe80vP2vaLQhtxZwMB9N9iMT5Ah+u+0R GNlIwarMTg+rgSEp3HkYrQt+v9sJQqVDQeND3TIH1tXJ8XDDV9kTId1HTG0d96ZSGkD2 K5Pr6oXwm+pwQfxuspiNlLsCh6nQqF2wUIZNw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=RwDnZgtvAYqkH3hudTWHRm4YK5mZ+jILDOypbI9tKueZ0MorRUhrnEWfeN4dRAFwlZ Y006ykVWIaLpENHtbkWNI5A+LL4r/2qKNoYZzQIMlcxXtF4PaN78DWGg7qMOu28k/6wm Dw4Lr94kGEuaCUAPYshwaVwRLbfZEB6fIzQj8=
Received: by 10.140.82.6 with SMTP id f6mr4357907rvb.74.1269408072578; Tue, 23 Mar 2010 22:21:12 -0700 (PDT)
Received: from [192.168.1.105] (64-46-1-217.dyn.novuscom.net [64.46.1.217]) by mx.google.com with ESMTPS id 20sm2566597pzk.11.2010.03.23.22.21.11 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 23 Mar 2010 22:21:12 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="iso-8859-1"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <fd6741651003231851t1c2a3048v247fc54a77da29e5@mail.gmail.com>
Date: Tue, 23 Mar 2010 22:21:10 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2350B53B-441E-4934-8043-DBE54E574900@gmail.com>
References: <526C3C44-18CF-4A94-A4C6-72702F73AC83@facebook.com> <4BA904F6.7000208@lodderstedt.net> <fd6741651003231201l4be70ccew1ea2c20e20c7dd01@mail.gmail.com> <daf5b9571003231756j50898d2epdadc5f3f146e5b91@mail.gmail.com> <fd6741651003231851t1c2a3048v247fc54a77da29e5@mail.gmail.com>
To: David Recordon <recordond@gmail.com>
X-Mailer: Apple Mail (2.1077)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] First draft of OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2010 05:26:35 -0000
That was one of the reasons why the refresh was repeated. Unfortunately I dropped the secret mistakenly when I ported over to RFC format. See my comments on draft-recordon-oauth2 for details. On 2010-03-23, at 6:51 PM, David Recordon wrote: > What about clients which don't have access to the client secret? For > example, rich desktop applications and devices. > > Seems like if the client secret is optional then a server can enforce > in policy what type of clients must pass it in. > > --David > > On Tue, Mar 23, 2010 at 5:56 PM, Brian Eaton <beaton@google.com> wrote: >> On Tue, Mar 23, 2010 at 12:01 PM, David Recordon <recordond@gmail.com> wrote: >>>> ยง3 >>>> - Why is the parameter oauth_client_secret required for refreshing access >>>> tokens? Use cases 2.2 and 2.3 do not require the client to use (possess) a >>>> secret. Does this imply such client are not entitled to refresh tokens? I >>>> would suggest to simply remove this parameter. >>> >>> It shouldn't be required. Fixed! >>> http://github.com/daveman692/OAuth-2.0/commit/a30843724f241f3ea1052c83dcfec0127a11fe00 >> >> It was required in WRAP because is lets you recover if a client web >> server that holds many refresh tokens is compromised. You rotate the >> client secret, and then the attacker loses access to user data. >> >> Please add it back. =) >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] First draft of OAuth 2.0 Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Luke Shepard
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Manger, James H
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state David Recordon
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Richard Barnes
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Mark Mcgloin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 John Panzer
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Paul Madsen
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Allen Tom
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Brian Eaton
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 David Recordon
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Torsten Lodderstedt
- Re: [OAUTH-WG] First draft of OAuth 2.0 Chuck Mortimore
- Re: [OAUTH-WG] First draft of OAuth 2.0 Anthony Nadalin
- Re: [OAUTH-WG] First draft of OAuth 2.0 Hans Granqvist
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] First draft of OAuth 2.0 Eve Maler
- Re: [OAUTH-WG] OAuth 2.0: client_secret, state Marius Scurtescu