Making the draft-ietf-oauth-v2-bearer mandatory to implement gets us a bearer (unknown content and format) token from the authorization server, for the resource server this gets us a authentication scheme of bearer (unknown content and format) token, not sure where this gets us towards interop as the content and format will be specific to authorization and resource server.
I don't fully understand the requirement for this mandatory to implement item beyond the fact that everyone has to implement bearer tokens of unknown content and format. -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Matt Miller Sent: Thursday, November 17, 2011 1:25 AM To: Mike Jones; Barry Leiba Cc: oauth WG Subject: Re: [OAUTH-WG] Mandatory-to-implement HTTP authentication scheme Further clarification (-: This is not (or shortly will not be) limited to HTTP. There is work to use OAUTH over SASL, which opens it up to a much much broader audience (e.g. IMAP, SMTP, and XMPP). > 1. Should we specify some token type as mandatory to implement? Why or why > not (*briefly*)? Yes. I believe it is necessary to provide a baseline for implementors, and will help make the "80% rule" easier; if "everyone" supports <x> then I will find client, authorization, and resource software that will "just work". I think this becomes even more important as OAuth is used with well-established resource servers (e.g. cloud-based XMPP service). > > 2. If we do specify one, which token type should it be? > I personally am ambivalent. On Nov 17, 2011, at 16:32, Mike Jones wrote: > Terminology correction: This discussion was actually about HTTP > authentication schemes (Bearer, MAC, etc.), not token types (JWT, SAML, > etc.). I've changed the subject line of the thread accordingly. > > -- Mike > > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Barry Leiba > Sent: Thursday, November 17, 2011 12:29 AM > To: oauth WG > Subject: [OAUTH-WG] Mandatory-to-implement token type > > Stephen, as AD, brought up the question of mandatory-to-implement token > types, in the IETF 82 meeting. There was some extended discussion on the > point: > > - Stephen is firm in his belief that it's necessary for interoperability. He > notes that mandatory to *implement* is not the same as mandatory to *use*. > - Several participants believe that without a mechanism for requesting or > negotiating a token type, there is no value in having any type be mandatory > to implement. > > Stephen is happy to continue the discussion on the list, and make his point > clear. In any case, there was clear consensus in the room that we *should* > specify a mandatory-to-implement type, and that that type be bearer tokens. > This would be specified in the base document, and would make a normative > reference from the base doc to the bearer token doc. > > We need to confirm that consensus on the mailing list, so this starts the > discussion. Let's work on resolving this over the next week or so, and > moving forward: > > 1. Should we specify some token type as mandatory to implement? Why or why > not (*briefly*)? > > 2. If we do specify one, which token type should it be? > > Barry, as chair > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth - m&m Matt Miller - <mamil...@cisco.com> Collaboration Software Group - Cisco Systems, Inc. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
