[OAUTH-WG] FYI: security analysis of double-redirection protocols, including OAuth 2.0

Hi, We've written a technical report that has a security analysis of double-redirection protocols such as OpenID and OAuth.  Section 3.5 discusses OAuth 2.0.  Most of section 4 may also be of interest to this list.  You can find the report at http://www.pomcor.com/techreports/DoubleRedirection.

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

Sorry, read the previous version of this poll. Meant #2 in this one. On Tue, Feb 8, 2011 at 10:08 PM, David Recordon wrote: > #1 > > On Tue, Feb 8, 2011 at 3:04 PM, Mike Jones > wrote: >> Given that people are clearly voting to change the bearer token scheme name, >> but that there is also sign

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

#1 On Tue, Feb 8, 2011 at 3:04 PM, Mike Jones wrote: > Given that people are clearly voting to change the bearer token scheme name, > but that there is also significant discussion asking for “OAuth2” to be part > of the name, I’d like to settle the matter by vote on the list.  Please vote > for o

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

#1 From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Tuesday, February 08, 2011 3:05 PM To: oauth@ietf.org Subject: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12 Given that people are clearly voting to change the bearer token scheme na

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

#2 -- From: "Mike Jones" Date: Wednesday, 09 February, 2011 07:04 To: Subject: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12 > Given that people are clearly voting to change the bearer token scheme name, > but that there is al

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

#2 From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Wednesday, 9 February 2011 10:05 AM To: oauth@ietf.org Subject: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12 Given that people are clearly voting to change the bearer token scheme n

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

#2. Phil phil.h...@oracle.com On 2011-02-08, at 3:04 PM, Mike Jones wrote: > Given that people are clearly voting to change the bearer token scheme name, > but that there is also significant discussion asking for “OAuth2” to be part > of the name, I’d like to settle the matter by vote on th

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

#2 Justin Hart jh...@photobucket.com On Feb 8, 2011, at 4:04 PM, Mike Jones wrote: Given that people are clearly voting to change the bearer token scheme name, but that there is also significant discussion asking for “OAuth2” to be part of the name, I’d like

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

On Tue, Feb 8, 2011 at 3:04 PM, Mike Jones wrote: > Given that people are clearly voting to change the bearer token scheme name, > but that there is also significant discussion asking for “OAuth2” to be part > of the name, I’d like to settle the matter by vote on the list.  Please vote > for one o

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

#2 From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Tuesday, February 08, 2011 3:17 PM To: Manger, James H; oauth@ietf.org Subject: Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12 Yes, but it also had other options that were "none o

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

Yes, but it also had other options that were "none of the above" relative to this naming issue. I'd like to obtain an unambiguous outcome on this point by having people vote between two choices. I personally agree with those that made the case that it is presumptive to claim the generic name "

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

Why are we doing this again??? This was clearly option #3 which got no support. EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Tuesday, February 08, 2011 3:05 PM To: oauth@ietf.org Subject: [OAUTH-WG] Bearer token scheme name - new vote deadline Sa

Re: [OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

The previous poll already had these two options, with the non-OAuth-specific name getting 14 votes to 1 vote for an OAuth prefix. 1. Descriptive, non-OAuth-specific scheme names (Bearer, MAC) ... 3. Name prefix (e.g. oauth2_bearer) I vote for 2 "Bearer". -- James Manger From: oauth-

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

It will be either OAuth2Bearer or Bearer, depending upon the outcome of the vote just sent to the list. -- Mike -Original Message- From: Eran Hammer-Lahav [mailto:e...@hueniverse.com] Sent: Tuesday, February 08, 2011 2:48 PM To: Mike Jones; Marius Scurtes

[OAUTH-WG] Bearer token scheme name - new vote deadline Sat, 2/12

Given that people are clearly voting to change the bearer token scheme name, but that there is also significant discussion asking for "OAuth2" to be part of the name, I'd like to settle the matter by vote on the list. Please vote for one of the following names: 1. OAuth2Bearer 2. Bearer

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Thanks Mike. How are you going to show the scheme name? bearer, Bearer, BEARER, ...? It is case-insensitive but want to be consistent. EHL > -Original Message- > From: Mike Jones [mailto:michael.jo...@microsoft.com] > Sent: Tuesday, February 08, 2011 9:46 AM > To: Marius Scurtescu; Eran

Re: [OAUTH-WG] Discovery RE: Bearer token type and scheme name (deadline: 2/10)

Realm is really only useful when MAC is used outside of OAuth like Basic or Digest and informs the client when it should try and reuse the same credentials. But with OAuth, presumably, the server will tell the client (using a parameter or documentation) where to use the token, making realm point

Re: [OAUTH-WG] Discovery RE: Bearer token type and scheme name (deadline: 2/10)

So, if we go with the Link approach and we are thinking in the context of the MAC token draft, how is realm used in some sane way? Am I right that a server might know of multiple ways to obtain a MAC token? Should we define the realm "oauth2" and then have that imply the link relationship name

Re: [OAUTH-WG] How to send parameter from facebook app and return the same

On Tue, Feb 8, 2011 at 1:45 AM, Anil Bhat wrote: > Hi, > > I want to send user id as a parameter in my facebook app and want to > return the same to keep track of the user who's connected to facebook > from my app. I'm using Oauth2 methods - authorize_url and > get_access_token. I tried to add par

Re: [OAUTH-WG] New Working Group Items?

Hannes, A comprehensive list! I am in support of all items listed, and I commit to reviewing all of them (and contributing where I will see significant gaps). One comment on the use cases (my pet peeve). Those were specifically requested by Peter at the first OAuth meeting, and I think they

Re: [OAUTH-WG] New Working Group Items?

B) HTTP Authentication: MAC Authentication http://datatracker.ietf.org/doc/draft-hammer-oauth-v2-mac-token/ In favor of adopting as WG item, willing to review. C) Token Revocation http://tools.ietf.org/html/draft-lodderstedt-oauth-revocation-01 In favor of adopting as WG item, willing to rev

Re: [OAUTH-WG] New Working Group Items?

Definitely, we have many common ideas! I think we need to get an I-D out with a crisp proposal. Igor Kristoffer Gronowski wrote: Hi Igor! That is exactly what I would like to explore! My thinking was that the authorization server should be quite simple. There should be no advanced things lik

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

I'm likewise OK with #1. As I'd written previously, I wasn't religious about the name "OAuth2"; I was for it for to be consistent with past drafts and so as not to introduce a breaking change. Given that there appears to be consensus to make a change, I'll plan on publishing a draft later this

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

On Mon, Feb 7, 2011 at 9:59 PM, Eran Hammer-Lahav wrote: > Mike, Brian, Dirk, and Marius – can you live with #1? Works for me. Marius ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

While important, the body is not always available for inspection and hashing. All the parameters normalization is done to ensure it will be possible on even the most limited platform. The same cannot be done for the body. That's why it is optional. EHL > -Original Message- > From: Skyl

Re: [OAUTH-WG] who is working on security considerations?

Certainly right, Eran. Torsten, submit the draft ASAP. On 2/7/11 8:40 PM, "Hammer-Lahav Hammer-Lahav" wrote: > It would probably be helpful to do this work in public. If not via I-Ds (even > if very rough) than via github etc. > > EHL > >> -Original Message- >> From: oauth-boun...@ie

[OAUTH-WG] How to send parameter from facebook app and return the same

Hi, I want to send user id as a parameter in my facebook app and want to return the same to keep track of the user who's connected to facebook from my app. I'm using Oauth2 methods - authorize_url and get_access_token. I tried to add parameter here but didn't work. If anyone has any idea, please s

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

On Feb 8, 2011, at 6:45 AM, Eran Hammer-Lahav wrote: > This authentication method comes with well understood security properties. By > making query parameters optional because of developer ease, providers will be > giving up an important part of the protection this protocol offers. This is > esp

Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02

There is no way I'm going to allow not signing the request URI and any query parameters. That leaves just the body... EHL > -Original Message- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Monday, February 07, 2011 11:43 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re:

Re: [OAUTH-WG] Discovery RE: Bearer token type and scheme name (deadline: 2/10)

> -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Monday, February 07, 2011 11:31 PM > 3. Define link relations. >Link: rel="oauth2-auth" > > This feels possible, but not ideal