> -----Original Message----- > From: pel...@gmail.com [mailto:pel...@gmail.com] On Behalf Of Pelle > Braendgaard > Sent: Tuesday, June 29, 2010 7:43 AM > To: Eran Hammer-Lahav > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] Draft -09 > > I found one small error in 3.1 for the "code" parameter. It mistakenly says > "token" and not "code": > > http://r6.sharedcopy.com/6bnqq8v
Thanks. > Anyway I hadn't seen any of the changes since 2.05 which I just implemented > for the Ruby on Rails OAuth Plugin and I have to say the changes look great. I > will have to rewrite a fair amount of code now, but the changes in general > are excellent and simplify things a lot. > > My only comment is on the assertions part. I am sure this will be useful for > Enterprise type of people but I have know what kind of support there is for > these kind of things in say the Ruby, Python and PHP world. So my guess is > that libraries probably wont be supporting them from the get go. It would be > useful for us implementers if someone provided resources with information > on how to implement this. The assertion grant type is really the grant type extension point. Libraries should treat it as a way to support custom grant types. One of the things I would like to see someone draft is how to use OAuth 1.0 tokens to obtain OAuth 2.0 tokens using the assertion type. For example, the assertion type can be "http://oauth.net/1.0/token"; , and the assertion itself is some form of the token and signature (or secrets) concatenated into a string (this will maintain the 1.0 security while transitioning to 2.0). This is just a straw man. It is important that libraries support this extensibility with some form of a hook or handler so that clients can make requests using assertions from outside the library. EHL > P > > On Tue, Jun 29, 2010 at 3:11 AM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > For editorial feedback, I am going to try something new and use > > SharedCopy.com (no install required). > > > > > > > > Try it out at: http://r6.sharedcopy.com/6bnqq8v > > > > > > > > If this doesn’t work, I’ll let people know and cancel it. > > > > > > > > EHL > > > > > > > > > > > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > > Of Eran Hammer-Lahav > > Sent: Monday, June 28, 2010 11:56 PM > > To: OAuth WG (oauth@ietf.org) > > Subject: [OAUTH-WG] Draft -09 > > > > > > > > Draft -09 is now posted. Main changes include: > > > > > > > > o Fixed typos, editorial changes. Thanks to Dick for his useful feedback. > > > > o Added token expiration example. > > > > o Added scope parameter to end-user authorization endpoint response > > and WWW-Authenticate header. > > > > o Added note about parameters with empty values (same as omitted). > > > > o Changed parameter values to use '-' instead of '_'. Parameter > > names still use '_'. > > > > o Changed authorization endpoint client type to response type with > values: > > code, token, or both. > > > > o Complete cleanup of error codes. Added support for error > > description and URI. > > > > o Add initial extensibility support. > > > > > > > > Draft -09 represents what I consider to be the first feature complete > > proposal. While it still needs much work, it has notes for open issues > > and missing parts. I plan to give people 2 weeks to review and provide > > extensive feedback, and will post one more draft before the 7/12 > > cutoff date for the meeting. > > > > > > > > My goal is to collect enough feedback to declare the next draft (-10) > > stable for wider implementation. If you were waiting for a stable > > draft to study and provide extensive feedback, this is the draft! When > > giving feedback pretend this is your last chance to making a > > significant contribution or changes to the core specification. > > > > > > > > Please submit feedback by 7/9. > > > > > > > > When submitting feedback please start a new thread for each item. > > Editorial commentary can be collected in one post (and please send to > > the list, even if it is minor, because I tend to get the same typo > > correction > many times). > > > > > > > > Thanks, > > > > > > > > EHL > > > > > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > http://agree2.com - Reach Agreement! > http://stakeventures.com - My blog about startups and agile banking _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
