Since you are a recent addition to the working group, you probably don't know that I objected to using both the OAuth and OAuth2 scheme names and wanted to call the scheme name Token. Producing a generally applicable HTTP authentication scheme is actually in our original charter and was one of the goals. Calling it OAuth2 is not generally applicable.
As for the end-to-end solution, it was never intended to be (nor can it), with or without the bearer token addition. OAuth is a single (authorization) protocol. The bearer token is a separate protocol with an OAuth2 binding, as is the MAC authentication scheme. For 10 drafts, the bearer token language was part of the document I edited. I don't think anyone has any doubts regarding my disagreement with it throughout the process. I am pretty sure I also made it clear when I spent an hour on the phone helping get started on the draft, including explicitly telling you that the scheme name is an open issue you need to approach the working group about. And speaking of being taken seriously, you can't be serious suggesting that my editorial role obliges me to subscribe to any views expressed in a working group document. EHL > -----Original Message----- > From: Mike Jones [mailto:michael.jo...@microsoft.com] > Sent: Tuesday, January 25, 2011 10:07 PM > To: Eran Hammer-Lahav; Marius Scurtescu > Cc: OAuth WG > Subject: RE: [OAUTH-WG] Bear token scheme name > > To the extent that the OAuth2 protocols are intended to provide an end-to- > end solution, the more consistency the better, hence the "OAuth2" name. > Since the same feature used the "OAuth" name in draft 10 (which you > authored), I find it hard to take seriously your objections to the "OAuth2" > name in the bearer token spec, when the description of the feature is > exactly the same (and which you actually wrote). > > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Eran Hammer-Lahav > Sent: Tuesday, January 25, 2011 9:59 PM > To: Marius Scurtescu > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bear token scheme name > > Simply because authentication is not what OAuth is about. > > OAuth is an authorization protocol for issuing access tokens. Access tokens > can have different properties and therefore need different schemes. I was > the first to suggest a scheme with sub-schemes but that idea was strongly > rejected (over a year ago). Since then I came to the same conclusion that the > proper way is to define separate authentication schemes. It is also how most > HTTP authentication framework operate. > > One benefit to this approach is that HTTP authentication already covers the > discovery of which schemes are supported by the resource server, as well as > token schemes can be used independently from OAuth, something the 2- > legged OAuth 1.0 has shown has great value. Also, it keeps the protocol > modular which enable providers to tailor it to their security needs. > > OAuth 2.0 is authentication agnostic and must remain so. It is an > authorization protocol and as such has no business defining authentication > mechanisms. > > For this reason, I object to using the OAuth2 scheme name with the bearer > token scheme. It's a "trademark" issue. > > EHL > > > -----Original Message----- > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > > Of Marius Scurtescu > > Sent: Tuesday, January 25, 2011 6:26 PM > > To: Mike Jones > > Cc: OAuth WG > > Subject: Re: [OAUTH-WG] Bear token scheme name > > > > On Wed, Jan 19, 2011 at 10:10 AM, Mike Jones > > <michael.jo...@microsoft.com> wrote: > > > I'd like a sense from the working group whether others want this > > > change, and if so, what the name should be changed to. > > > > Probably this was debated, but I will ask again. > > > > Why can't we use "OAuth2" as the scheme in all cases and require a > > token_type name/value pair? > > > > Is it wise to dump lots of new schemes in a name space we do not control? > > > > Marius > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
