Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Scurtescu Cc: OAuth WG Subject: RE: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) Thanks Mike. How are you going to show the scheme name? bearer, Bearer, BEARER, ...? It is case-insensitive but want to be consistent. EHL > -Original Message- > From: Mike

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

us Scurtescu; Eran Hammer-Lahav > Cc: OAuth WG > Subject: RE: [OAUTH-WG] Bearer token type and scheme name (deadline: > 2/10) > > I'm likewise OK with #1. As I'd written previously, I wasn't religious about > the > name "OAuth2"; I was for it for to be con

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Marius Scurtescu Sent: Tuesday, February 08, 2011 9:24 AM To: Eran Hammer-Lahav Cc: OAuth WG Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) On Mon, Feb 7, 2011 at 9:59 PM, Eran Hammer-Lahav wrote: > Mike, Brian, Dirk, and Marius - can you liv

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

On Mon, Feb 7, 2011 at 9:59 PM, Eran Hammer-Lahav wrote: > Mike, Brian, Dirk, and Marius – can you live with #1? Works for me. Marius ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Hi All, I vote for #1 - the proposal is simple and straightforward. However, as one of the authors of WRAP - I am rather fond of bearer tokens. Replacing OAuth 1.0 tokens with bearer tokens was one of the primary goals of WRAP, so #4 makes a lot of sense to me too. That being said, #1 is simple

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their preferences. These are the options mentioned so far and their +/-: 1. Descriptive, non-OAuth-specific scheme

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

e something other than an OAuth >> token is not compatible with the specification language, but this is just >> terminology and has little to no practical implications. >> >> >> EHL >> >> >> From: Phil Hunt [mailto:phil.h...@oracle.com] &

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

* Monday, February 07, 2011 10:16 AM > *To:* Eran Hammer-Lahav > *Cc:* Dirk Balfanz; Manger, James H; OAuth WG > *Subject:* Re: [OAUTH-WG] Bearer token type and scheme name (deadline: > 2/10) > > > > I don't agree that at token issued by an OAuth server is by definition an &

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

To: Eran Hammer-Lahav > Cc: Dirk Balfanz; Manger, James H; OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) > > > > I don't agree that at token issued by an OAuth server is by definition an > OAuth token. > > > > OA

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

bject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) I don't agree that at token issued by an OAuth server is by definition an OAuth token. OAuth describes a flow pattern around how tokens may be obtained, etc. There are many types of tokens that could be employed. OAut

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

ahav > Cc: Dirk Balfanz; Manger, James H; OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) > > -1 > > I don't agree fully here. > > Phil > > Sent from my phone. > > On 2011-02-07, at 0:02, Eran Hammer-Lahav wrote: >

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

What don’t you agree with? EHL From: Phillip Hunt [mailto:phil.h...@oracle.com] Sent: Monday, February 07, 2011 8:29 AM To: Eran Hammer-Lahav Cc: Dirk Balfanz; Manger, James H; OAuth WG Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) -1 I don't agree fully

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

1 11:16 PM > To: Manger, James H > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) > > > > > > On Sun, Feb 6, 2011 at 4:26 AM, Manger, James H > wrote: > > Dirk said: > > > FWIW, I agree with B

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Dirk Balfanz Sent: Sunday, February 06, 2011 11:16 PM To: Manger, James H Cc: OAuth WG Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) On Sun, Feb 6, 2011 at 4:26 AM, Manger, James H mailto:j

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

On Sun, Feb 6, 2011 at 4:26 AM, Manger, James H < james.h.man...@team.telstra.com> wrote: > Dirk said: > > > FWIW, I agree with Brian - it [the “Bearer” scheme] should say OAuth > somewhere, because it's an OAuth token. > > > > OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Dirk said: > FWIW, I agree with Brian - it [the "Bearer" scheme] should say OAuth > somewhere, because it's an OAuth token. OAuth can deliver any variety of bearer token: SAML, JWT, SWT, opaque id, anything else. Conversely, any of these tokens can come from a variety of sources: a user-del

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Brian said: > How do we reconcile "Bearer" with "Negotiate", "NTLM", "Basic", and > "GoogleLogin"? All of those examples are widely deployed and use > bearer tokens in Authorization headers. Should all of those switch to > using the "Bearer" scheme as well? "Basic" & "NTLM" are password schemes;

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

t;blah blah blah" auth_types="Bearer MAC >> Basic" >> >> The client has to be aware of the authentication scheme names. >> >> -bill >> >>> -Original Message- >>> From: Phil Hunt [mailto:phil.h...@oracle.com] >>>

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

l.h...@oracle.com] Sent: Friday, February 04, 2011 1:14 PM To: William Mills Cc: Marius Scurtescu; OAuth WG Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) I agree, that is still to be defined. There seems to be some push back on discovery, but this is likely warranted. If o

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

nt:*Thursday, February 03, 2011 12:34 AM *To:*OAuth WG *Subject:*[OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their preferences. These are the options mentioned so far and their +/-: 1. Desc

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

ication scheme names. -bill > -Original Message- > From: Phil Hunt [mailto:phil.h...@oracle.com] > Sent: Friday, February 04, 2011 1:14 PM > To: William Mills > Cc: Marius Scurtescu; OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: >

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

> -Original Message- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Friday, February 04, 2011 9:39 AM > >> > - schemes are not easily reusable outside OAuth. > >> > >> Sure. But I really don't see this group trying to create generic > >> authentication schemes. > > > > M

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

, or >>>> whatever. >>>> >>>> Phil >>>> phil.h...@oracle.com >>>> >>>> >>>> >>>> >>>> On 2011-02-04, at 9:39 AM, Marius Scurtescu wrote: >>>> >>>>> On Thu, Feb 3, 2011 a

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

] > Sent: Friday, February 04, 2011 11:37 AM > To: William Mills > Cc: Marius Scurtescu; OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: > 2/10) > > Yes. This should be defined in each token type specification. > > Phil > phil.h...@oracl

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

ge- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Phil Hunt >> Sent: Friday, February 04, 2011 9:42 AM >> To: Marius Scurtescu >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: >>

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Scurtescu > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: > 2/10) > > OAuth should be able to support other token schemes. > > Or conversely you don't have to have OAuth to use MAC, JWT, or > whatever. > > Phil > phil.h.

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their preferences. These are the options mentioned so far and their +/-: 1. Descriptive, non-OAuth-specific scheme names (Bearer, MAC) Each token type

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

t;> Hey Marius, >> >>> -Original Message- >>> From: Marius Scurtescu [mailto:mscurte...@google.com] >>> Sent: Thursday, February 03, 2011 10:36 AM >>> To: Eran Hammer-Lahav >>> Cc: OAuth WG >>> Subject: Re: [OAUTH-WG] Bearer token type

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

On Thu, Feb 3, 2011 at 11:39 AM, Eran Hammer-Lahav wrote: > Hey Marius, > >> -Original Message- >> From: Marius Scurtescu [mailto:mscurte...@google.com] >> Sent: Thursday, February 03, 2011 10:36 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG >> Sub

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

wrote: > > > -Original Message- > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > > Of Brian Eaton > > Sent: Thursday, February 03, 2011 11:58 PM > > To: Manger, James H > > Cc: OAuth WG > > Subject: Re: [OAUTH-WG] Bea

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

> -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Brian Eaton > Sent: Thursday, February 03, 2011 11:58 PM > To: Manger, James H > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: &

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

get their heads > around this complex space. > > > > -- > > James Manger > > > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Eran Hammer-Lahav > Sent: Thursday, 3 February 2011 7:34 PM > To: OAuth WG > > Subject: [OAUTH-WG]

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

elpful for lots of people now and in the future trying to get their heads around this complex space. -- James Manger From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Thursday, 3 February 2011 7:34 PM To: OAuth WG Subject: [OAUTH-WG] Bearer to

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

+1 #1 On Feb 3, 2011, at 3:21 PM, Brian Campbell wrote: > Also #1 > > On Thu, Feb 3, 2011 at 1:47 PM, Justin Hart wrote: >> #1, which is nice to support the OAuth2 scheme as previously discussed >> (Hunt, etc) as a legacy type (can be specified in a migration spec). >> >> -- Justin Hart >>

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Also #1 On Thu, Feb 3, 2011 at 1:47 PM, Justin Hart wrote: > #1, which is nice to support the OAuth2 scheme as previously discussed > (Hunt, etc) as a legacy type (can be specified in a migration spec). > > -- Justin Hart > -- jh...@photobucket.com > > > > > > On Feb 3, 2011, at 1:34 AM, Era

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

#1, which is nice to support the OAuth2 scheme as previously discussed (Hunt, etc) as a legacy type (can be specified in a migration spec). -- Justin Hart -- jh...@photobucket.com On Feb 3, 2011, at 1:34 AM, Eran Hammer-Lahav wrote: After a long back-and-f

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Hey Marius, > -Original Message- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Thursday, February 03, 2011 10:36 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: > 2/10) > > On T

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

On Thu, Feb 3, 2011 at 12:34 AM, Eran Hammer-Lahav wrote: > 2. Single OAuth2 scheme with sub-schemes > > Define a single authentication scheme for all token types with some > attribute used to detect which scheme is actually being used. > > Benefits: > > - single scheme, reuse of the 1.0 pattern.

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) BTW, if you vote for #1, OAUTH2 could be reserved for legacy behaviour. Phil phil.h...@oracle.com On 2011-02-03, at 10:10 AM, Peter Saint-Andre wrote: With my individual contributor hat on, I

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

On Thu, Feb 3, 2011 at 12:34 AM, Eran Hammer-Lahav wrote: > 1. Descriptive, non-OAuth-specific scheme names (Bearer, MAC) I vote #1. In addition to the pros/cons Eran mentioned, it seems the simplest and cleanest so will cause the least confusion. William and others brought up backward compatib

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

s > wrote: > >>> I'm coming around to #1, I'll put my vote there.I do agree that > we have > >>> usage out there of the OAuth2 scheme and we need not to break that, > how do > >>> we solve that? > >>> > >>>

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

there of the OAuth2 scheme and we need not to break that, how do >> we solve that? >> >> >> >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >> Eran Hammer-Lahav >> Sent: Thursday, February 03, 2011 12:34 AM >> To: OAuth WG

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

to break that, how do >>> we solve that? >>> >>> >>> >>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >>> Eran Hammer-Lahav >>> Sent: Thursday, February 03, 2011 12:34 AM >>> To: OAuth WG >

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

to working group last call, I > would personally vote no to introducing any further any breaking changes. > > -- Mike > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Eran Hammer-Lahav > Sen

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

do agree that we have >> usage out there of the OAuth2 scheme and we need not to break that, how do >> we solve that? >> >> >> >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >> Eran Hammer-Lahav >> Sent: Thursday, Februa

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

uth-boun...@ietf.org] On Behalf Of > Eran Hammer-Lahav > Sent: Thursday, February 03, 2011 12:34 AM > To: OAuth WG > Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) > > > > After a long back-and-forth, I think it is time to present a few options and >

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

av" ; "OAuth WG" Subject: Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) > I realize that spec stability doesn't matter to you, but that doesn't mean > that it's not important to others, including those actually using the specs. > Call t

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

- Mike From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Thursday, February 03, 2011 12:34 AM To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options an

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

alf Of Eran Hammer-Lahav Sent: Thursday, February 03, 2011 12:34 AM To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their preferences. These are the options ment

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

ay, February 03, 2011 12:34 AM To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their preferences. These are the options mentioned so far and their +/-: 1. Descrip

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Thursday, February 03, 2011 12:34 AM To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their preferences.

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

[mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Thursday, February 03, 2011 12:34 AM To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their prefe

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

3, 2011 12:34 AM To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to present a few options and have people express their preferences. These are the options mentioned so far and their +/-: 1. Descriptive, non-OAut

Re: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

-- Mike From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Thursday, February 03, 2011 12:34 AM To: OAuth WG Subject: [OAUTH-WG] Bearer token type and scheme name (deadline: 2/10) After a long back-and-forth, I think it is time to presen

[OAUTH-WG] Bearer token type and scheme name (deadline: 2/10)

After a long back-and-forth, I think it is time to present a few options and have people express their preferences. These are the options mentioned so far and their +/-: 1. Descriptive, non-OAuth-specific scheme names (Bearer, MAC) Each token type gets its own name (which does not include the w