On Jul 13, 2010, at 3:03 PM, Blaine Cook wrote: > +1 on "like a password", or something similar-and-meaningful because > that's exactly how it's being used here. Pre-shared key, shared > secret, etc, would be fine. Keep in mind that authentication *will be > done* using the bearer token, and the bearer token alone.
Where is that specified? Is that required for all implementations? > > An OAuth token is unlike capabilities in that capabilities tend to be > bound to addressable data – in most OAuth deployments, the data > addressing is separate from the token. A capability, basically, is a reference to an object and the permission to use it, bound together. Possession of the capability is enough to authorize the use of the reference. Bearer tokens follow roughly that model. They are about authorization and MAY be used alone for authentication, but may also be used with (specified, or not, in OAuth) other mechanisms for authentication. At least I hope that is the model (not to *require* servers to authenticate using the bearer token alone even if *some* implementations do that)? - johnk > > b. > > On 13 July 2010 19:46, Richer, Justin P. <jric...@mitre.org> wrote: >>>> I would be very unhappy if we equated access tokens with passwords. >>>> >>>> I agree with Dirk that "capability" is a more expressive phrase than either >>>> "shared secret" or "password". >> >>> Expressive to you and people well-versed in security theory. It means >>> nothing to a casual reader. The token definition includes the term, but in >>> this section, it is referring to how an access token is used, and it is used >>> just like a password. >> >> Definitely agree with Eran here. The term "capability" doesn't mean much to >> me in this circumstance, but "like a password" tells me exactly what I, as >> an implementer, can expect. >> >> -- Justin >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
