Re: [OAUTH-WG] conf call follow up from today

Mon, 04 Feb 2013 14:30:06 -0800 

We can do that too, and I rather like it.  I thought there was a big "don't 
cross the beams" warning somewhere though.

-bill


________________________________
 From: "Richer, Justin P." <jric...@mitre.org>
To: William Mills <wmills_92...@yahoo.com> 
Cc: O Auth WG <oauth@ietf.org> 
Sent: Monday, February 4, 2013 1:37 PM
Subject: Re: [OAUTH-WG] conf call follow up from  today
 

What if we define a means to request OAuth1 style tokens from an OAuth2 
auth/token endpoint, but defer to OAuth1 for methods of how to use the token at 
protected resources? 

 -- Justin



On Feb 4, 2013, at 3:22 PM, William Mills <wmills_92...@yahoo.com> wrote:

1)  I think that we need to focus on specific solutions, as I said on the call, 
and solve the OAuth 1.0a/MAC use case.  There's significant installed base of 
OAuth 1.0a and we need a path for those installations into OAuth 2.0.  I may 
well pursue MAC in the interim to do this, but a full HOK solution woul work 
too.
>
>
>2)  I think the discussion we were having about "which authenticator to use" 
>falls squarely into the endpoint discovery discussion and we should put that 
>energy into endpoint discovery as distinct from HOK.
>
>
>3)  We haven't talked yet about how a client will be able to specify a token 
>type if it wants a specific one.  OAuth 2 core will need to be extended to 
>support this.
>
>
>4)  We should leave the key distribution/discovery mechanism either out of 
>scope or define it explicitly per HOK token type profile.  This will have to 
>work with the extensions for #3 above.
>
>
>5)  I want to avoid the problem in OAuth 1.0a of having to support and accept 
>every possible signing mode.  Being force to accept PLAINTEXT sucks.  We need 
>a way for the discovery endpoint to mandate a specific set of allowed 
>signature methods.
>
>
>Regards,
>
>
>-bill
>
>
_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to