To the extent that the OAuth2 protocols are intended to provide an end-to-end solution, the more consistency the better, hence the "OAuth2" name. Since the same feature used the "OAuth" name in draft 10 (which you authored), I find it hard to take seriously your objections to the "OAuth2" name in the bearer token spec, when the description of the feature is exactly the same (and which you actually wrote).
-----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, January 25, 2011 9:59 PM To: Marius Scurtescu Cc: OAuth WG Subject: Re: [OAUTH-WG] Bear token scheme name Simply because authentication is not what OAuth is about. OAuth is an authorization protocol for issuing access tokens. Access tokens can have different properties and therefore need different schemes. I was the first to suggest a scheme with sub-schemes but that idea was strongly rejected (over a year ago). Since then I came to the same conclusion that the proper way is to define separate authentication schemes. It is also how most HTTP authentication framework operate. One benefit to this approach is that HTTP authentication already covers the discovery of which schemes are supported by the resource server, as well as token schemes can be used independently from OAuth, something the 2-legged OAuth 1.0 has shown has great value. Also, it keeps the protocol modular which enable providers to tailor it to their security needs. OAuth 2.0 is authentication agnostic and must remain so. It is an authorization protocol and as such has no business defining authentication mechanisms. For this reason, I object to using the OAuth2 scheme name with the bearer token scheme. It's a "trademark" issue. EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Marius Scurtescu > Sent: Tuesday, January 25, 2011 6:26 PM > To: Mike Jones > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bear token scheme name > > On Wed, Jan 19, 2011 at 10:10 AM, Mike Jones > <michael.jo...@microsoft.com> wrote: > > I'd like a sense from the working group whether others want this > > change, and if so, what the name should be changed to. > > Probably this was debated, but I will ask again. > > Why can't we use "OAuth2" as the scheme in all cases and require a > token_type name/value pair? > > Is it wise to dump lots of new schemes in a name space we do not control? > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
