Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

> -Original Message- > From: Dick Hardt [mailto:dick.ha...@gmail.com] > Sent: Tuesday, September 28, 2010 5:09 PM > I am mildly concerned that breaking the spec into multiple parts makes it > harder for the spec reader to understand what is going on. Where does a > complete example of ge

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

I am mildly concerned that breaking the spec into multiple parts makes it harder for the spec reader to understand what is going on. Where does a complete example of getting and using a token? Imagine how confusing HTTP would be if the request and response were in separate specs. I'm not sure t

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1 The proposal makes sense. I particularly like the good side effect that the use of access tokens is no longer bound to HTTP. Hui-Lan Lu From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, September 28, 2

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1 The proposal makes sense. I particularly like the side effect that the use of access tokens is no longer bound to HTTP. Hui-Lan Lu From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Tuesday, September 28, 2010

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

On 9/28/10 12:25 AM, Eran Hammer-Lahav wrote: > (Please take a break from the other threads and read this with an open > mind. I have tried to make this both informative and balanced.) > > --- IETF Process > > For those unfamiliar with the IETF process, we operate using rough > consensus. This me

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1 Eran, thanks for framing this up... On Sep 28, 2010, at 12:14 PM, Brian Campbell wrote: > +1 seems like a pragmatic compromise > > On Tue, Sep 28, 2010 at 12:44 PM, Marius Scurtescu > wrote: >> On Tue, Sep 28, 2010 at 9:05 AM, George Fletcher wrote: >>> +1 I think this is a great path forw

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1. -- John Panzer / Google jpan...@google.com / abstractioneer.org / @jpanzer On Mon, Sep 27, 2010 at 11:25 PM, Eran Hammer-Lahav wrote: > (Please take a break from the other threads and read this with an open > mind. I have tried to make this both informative

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1 seems like a pragmatic compromise On Tue, Sep 28, 2010 at 12:44 PM, Marius Scurtescu wrote: > On Tue, Sep 28, 2010 at 9:05 AM, George Fletcher wrote: >> +1 I think this is a great path forward > > +1 > > > Marius > ___ > OAuth mailing list > OAuth@i

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

On Tue, Sep 28, 2010 at 9:05 AM, George Fletcher wrote: > +1 I think this is a great path forward +1 Marius ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Comparing the JSON Token drafts

On Mon, Sep 27, 2010 at 5:46 PM, Mike Jones wrote: > Dirk and I both posted JSON Token drafts on Thursday. They are at > http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html(which > I’ll refer to as Dirk’s draft) and > http://self-issued.info/docs/draft-goland-json-web-token

Re: [OAUTH-WG] Signatures...what are we trying to solve?

* Is there an example of an OAuth 2.0 server that can't use bearer tokens for protected resource requests and thus requires signatures? The use case I see for signatures that isn't solved (as well) by tokens is 3 way integrations where it is useful to manage a secret as a way to manage the bu

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

> -Original Message- > From: Luke Shepard [mailto:lshep...@facebook.com] > Sent: Tuesday, September 28, 2010 9:16 AM > As far as the charter: this workgroup has had a focus on building an > interoperable, easy-to-use, developer-friendly standard that is actually used. > With the goal of

Re: [OAUTH-WG] Signatures...what are we trying to solve?

These use cases are not in the draft https://datatracker.ietf.org/doc/draft-zeltsan-use-cases-oauth. Could you write them up? Thanks, Zachary From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of George Fletcher Sent: Tuesday, September 28, 2

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

Eran- Thanks for writing a great explanation of where we are so far. I agree that it makes sense to logically separate "getting a token" from "using a token", and we should structure it so that there can be extension specs about how to use a token. It also seems clear that we should do some mor

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1 I think this is a great path forward On 9/28/10 2:25 AM, Eran Hammer-Lahav wrote: (Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.) --- IETF Process For those unfamiliar with the IETF process, we operat

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1 to split the spec into multiple parts Am 28.09.2010 08:25, schrieb Eran Hammer-Lahav: (Please take a break from the other threads and read this with an open mind. I have tried to make this both informative and balanced.) --- IETF Process For those unfamiliar with the IETF process, we op

Re: [OAUTH-WG] Signatures...what are we trying to solve?

I think of the signature issues as falling into two classes... I think they map to your classification as well... * *Signing tokens* is important for interoperability especially looking forward to a time when tokens issued by multiple Authorization Servers are accepted at a given h

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

+1 on the split. I think it's an elegant approach, and it won't be any harder to follow than a monolithic spec with multiple optional sections. Especially if we put together the right guidance as a gateway to the spec. OAuth 1.0 (and -a) really talk about three different things: how to get a token

Re: [OAUTH-WG] Basic signature support in the core specification

Yes, I'm willing to write guides for the profiles that I use, once things settle down and we know what the protocol actually is. :) I'd argue that Facebook's developer docs are a start for "bearer tokens using the UX extension and web server/user agent profiles" already. I think that the most sens

Re: [OAUTH-WG] Looking for a compromise on signatures and other open issues

Sounds great Eran, > 1. Add a parameter to the token response to include an extensible token > scheme. Yes. I suggest a parameter named "scheme". The value can be an HTTP authentication scheme name (eg "scheme":"BASIC") for which the response is providing credentials. Not all possibilities