Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

I am not going to spend the time it will take to write it in the new organization only to take it out later. I much rather take it out in -12 and put it right back in -13 if they rejoin us and show support. As for damage, since this is a well-contained feature that is trivial to add as an exten

Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

On Wed, Jan 19, 2011 at 6:14 PM, Eran Hammer-Lahav wrote: > Since no one else (other than you) showed any interest in keeping this > section in for the past 9 days, I assume they don't care. I will remove this. This is an unfortunate assumption, and I think it could do serious damage to the spec

Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

On Wed, Jan 19, 2011 at 6:11 PM, Eran Hammer-Lahav wrote: > Will this HTML5 magic involve making a single authorization request > (redirection) or two? It's not magic, it's window.postMessage(). It's an authenticated low-latency channel between windows or iframes. There is more than one way to

Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

> -Original Message- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Wednesday, January 19, 2011 6:10 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Proposal to drop/relocate > response_type=code_and_token > > On Wed, Jan 19, 2011 at 6:05 PM, Eran Hammer-Lahav

Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

> -Original Message- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Wednesday, January 19, 2011 6:10 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Proposal to drop/relocate > response_type=code_and_token > > On Wed, Jan 19, 2011 at 6:05 PM, Eran Hammer-Lahav

Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

On Wed, Jan 19, 2011 at 6:05 PM, Eran Hammer-Lahav wrote: > Can I take this as an endorsement for dropping it? It feels very experimental > and should be easy to add as an extension. I defer to the several other people who were interested in this approach. From memory, that's Brian Ellin, Luke

Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

Can I take this as an endorsement for dropping it? It feels very experimental and should be easy to add as an extension. As for your plan, will this work with a single authorization generating both a token and code? EHL > -Original Message- > From: Brian Eaton [mailto:bea...@google.com

Re: [OAUTH-WG] Proposal to drop/relocate response_type=code_and_token

On Tue, Jan 11, 2011 at 4:40 PM, Brian Eaton wrote: > On Tue, Jan 11, 2011 at 1:21 PM, Eran Hammer-Lahav > wrote: >> But that's just an annoying implementation detail. > > Yes.  The user-agent flow is a set of annoying implementation details > that are very, very useful if you want to make the p

Re: [OAUTH-WG] Bear token scheme name

I'd like a sense from the working group whether others want this change, and if so, what the name should be changed to. Thanks, -- Mike From: Eran Hammer-Lahav [mailto:e...@hue

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

On Wed, Jan 19, 2011 at 9:50 AM, William Mills wrote: > Yes it’s old, 1 week form expiring too.  The specs seem to be stabilizing > now so it’s worth updating.   Has there been any other discovery proposal > yet? Nothing concrete AFAIK, but for SASL we also discussed using host-meta style discove

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

Yes it's old, 1 week form expiring too. The specs seem to be stabilizing now so it's worth updating. Has there been any other discovery proposal yet? From: Eran Hammer-Lahav [mailto:e...@hueniverse.com] Sent: Wednesday, January 19, 2011 9:46 AM To: William Mills; OAuth WG Subject: RE: Removal:

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

Thanks. Seems like this draft is based on an old version of the v2 specification. Stuff like signature and endpoint location is long gone... EHL From: William Mills [mailto:wmi...@yahoo-inc.com] Sent: Wednesday, January 19, 2011 9:39 AM To: Eran Hammer-Lahav; OAuth WG Subject: RE: Removal: 'OAu

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

http://www.ietf.org/internet-drafts/draft-mills-kitten-sasl-oauth-00.txt From: Eran Hammer-Lahav [mailto:e...@hueniverse.com] Sent: Wednesday, January 19, 2011 9:16 AM To: William Mills; OAuth WG Subject: RE: Removal: 'OAuth2' HTTP Authentication Scheme You're going to make me do all the work...

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

You're going to make me do all the work... Where's the spec? EHL From: William Mills [mailto:wmi...@yahoo-inc.com] Sent: Wednesday, January 19, 2011 9:06 AM To: Eran Hammer-Lahav; OAuth WG Subject: RE: Removal: 'OAuth2' HTTP Authentication Scheme My initial implementation of a SASL mechanism is

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

My initial implementation of a SASL mechanism is now published at https://github.com/sweetums/SASL-OAuth and it conforms to the discovery mechanism in the draft spec for the mechanism. The code is pretty rough, and there's some major portability work to do as well as the fact that there's no au

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

>> On Jan 18, 2011, at 11:13 PM, Eran Hammer-Lahav wrote: >> >>> OAuth is an authorization protocol not an authentication protocol. With the >> exception of the client password credentials passed in the form-encoded >> body, the protocol is completely authentication agnostic for both client >> aut

Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme

> -Original Message- > From: Subbu Allamaraju [mailto:su...@subbu.org] > Sent: Tuesday, January 18, 2011 11:37 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Removal: 'OAuth2' HTTP Authentication Scheme > > > On Jan 18, 2011, at 11:13 PM, Eran Hammer-Lahav wrote: >