When the decision was made to break the specification, we discussed giving the bearer token a different scheme name. This has been the implicit consensus for over a year, though not necessarily for the bearer token but for the signed request. IOW, there was consensus NOT to use a single scheme for all token types. Since we now split the bearer token out of the specification, it should have a new scheme name. This is the obvious conclusion of the new organization and separation of authorization from authentication.
As for the token type, it is meant to identify the characteristics of the token needed by the client to use the token. The only value of the token type is to inform the client how it should be used. The authentication scheme (HTTP or otherwise) used it the primary goal. EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Mike Jones > Sent: Friday, January 14, 2011 5:42 PM > To: 'Manger, James H'; oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > > Thanks James, > > I wanted to provide feedback on your comments. > > You wrote "token_type should be an HTTP authentication scheme name". I > disagree with this. The token_type is intended be used to identify the type > of the token, meaning that it is likely to take on values like: > SWT > JWT > urn:oasis:names:tc:SAML:1.0:assertion > urn:oasis:names:tc:SAML:2.0:assertion > http://service.example.com/oauth/custom_token_format > > You wrote "the bearer spec (draft-ietf-oauth-v2-bearer) must not use the > 'OAuth2' scheme name. It needs its own scheme name, eg 'BEARER'". I also > disagree with this. For the same reason that it was appropriate for draft 11 > to > use the scheme name "OAuth", it is appropriate for the bearer token spec to > use the scheme name "OAuth2" for the corresponding text. In the interest > of completing the specification, I'm not prone to introduce a breaking change > by modifying the scheme name at this time. > > Working group feedback is welcome. > > -- Mike > > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Thursday, December 02, 2010 3:42 PM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > > token_type should be an HTTP authentication scheme name (eg "BASIC" or > "BEARER" or "MAC"...). > The core spec (draft-ietf-oauth-v2) should explicitly state this rule. > From the token_type, the client app knows which auth scheme to use. > [renaming the parameter from "token_type" to "scheme" would help.] > > Defining token_type to be an HTTP authentication scheme name effectively > defines how OAuth2 can deliver credentials for auth schemes that are > independent of OAuth2, eg schemes specified before OAuth2 existed. It > eliminates the need for additional specs just to provide a link from OAuth2 to > every authentication mechanism. > > Some auth mechanisms for which OAuth2 could deliver credentials are not > actually HTTP authentication schemes. Eg OAuth2 delivering an id/secret to > use in TLS-PSK (pre-shared key). For that you will need a small additional > spec > to define a token_type value -- ie define a pseudo-HTTP-auth-scheme- > name. > > P.S. Related to this, the bearer spec (draft-ietf-oauth-v2-bearer) must not > use the "OAuth2" scheme name. It needs its own scheme name, eg > "BEARER". > > > -- > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
