[OAUTH-WG] Returning two tokens. Was: Re: Rechartering

2011-10-25 Thread Bob Van Zant
I'm going to reiterate what has already been said. OAuth already supports what you're trying to do. Just request a token twice, the first time request it with a scope or scopes that allows these special operations. The second time request it with a scope or scopes that do not. In general I really

Re: [OAUTH-WG] Rechartering

2011-10-25 Thread Dave Rochwerger
Hi Dan, I think we are going down the wrong path here. Basically, you've started with the premise of wanting plain HTTP scheme (in some circumstances), which has caused you to suggest both of, firstly, relaxing the only method of encryption in oauth2 and secondly, to further complicate the protoco

Re: [OAUTH-WG] Rechartering

2011-10-25 Thread Dan Taflin
You're right, if tracking was all we needed then a single token would suffice. The reason for two tokens has more to do with the fact that we'd like to allow "protected" operations to be called over plain http. This opens up the possibility of an attacker intercepting the token for his own nefar

Re: [OAUTH-WG] Rechartering

2011-10-25 Thread Dave Rochwerger
Is separating this out into 2 different tokens, really the best way to solve your use case? It sounds to me that you simply want to track/log the two types of accesses differently, which can be done entirely outside of the oauth2 process. Just bucket your operations into two piles internally and t

Re: [OAUTH-WG] Rechartering

2011-10-25 Thread Dan Taflin
I would like to second Torsten's pitch for the ability to return multiple access tokens with a single authorization process. The use case for my company is to segment operations into two main categories: protected and confidential. (A possible third category, public, would not require any author

[OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -11

2011-10-25 Thread Mike Jones
Draft 11 of the OAuth 2.0 Bearer Token Specification has been published. This version is intended for submission to the IESG. It contains the following change: *

[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-11.txt

2011-10-25 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : The OAuth 2.0 Authorization Protocol: Bearer Tokens Author(s) : Michael B. Jones