Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

tf.org] On Behalf > Of Mike Jones > Sent: Friday, January 14, 2011 5:42 PM > To: 'Manger, James H'; oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > > Thanks James, > > I wanted to provide feedback on your comments. >

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

alf Of Manger, James H Sent: Thursday, December 02, 2010 3:42 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 token_type should be an HTTP authentication scheme name (eg "BASIC" or "BEARER" or "MAC"...). The core spec (dra

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

Eran, >>> What does scheme=basic mean [in a token response]? > But that has the same security properties as bearer. True. >> Keeping [type and scheme] separate... >> It just means we need another registry (of token_types, with associated >> procedures); and we need an extra spec for each authen

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

When a client app gets an OAuth2 token response it needs to know what to do next. In particular, which authentication *protocol* it should use with the received credential. I thought this was what token_type was designed for, hence my suggestion that it hold an HTTP authentication scheme name.

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

s Scurtescu [mailto:mscurte...@google.com] > Sent: Monday, December 06, 2010 12:47 PM > To: Eran Hammer-Lahav > Cc: Manger, James H; oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > > On Mon, Dec 6, 2010 at 12:43 PM, Eran Hammer-Lahav > wrote: &g

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

>> Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 >> >> On Sun, Dec 5, 2010 at 10:34 PM, Eran Hammer-Lahav >> wrote: >> > This is not how most HTTP authentication frameworks work (that was the >> conclusion from my HTTP Token scheme propos

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

> -Original Message- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Monday, December 06, 2010 11:57 AM > To: Eran Hammer-Lahav > Cc: Manger, James H; oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > > On S

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

On Sun, Dec 5, 2010 at 3:27 PM, Manger, James H wrote: > Marius, > >> How about: >> - keeping the scheme "OAuth2", for both WWW-Authenticate and Authorization >> - define both as name/value pairs (WWW-Authenticate is already) >> - require that one of the pairs be "type=" >> >> For example: >> WWW-

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

e asking for a collision here? Marius > > EHL > > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Marius Scurtescu > Sent: Friday, December 03, 2010 4:27 PM > To: Manger, James H > Cc: oauth@ietf.org > Su

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

> -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Thursday, December 02, 2010 7:59 PM > > What does scheme=basic mean [in a token response]? > > It means this token response contains credentials that can be used wi

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

-boun...@ietf.org] On Behalf Of Marius Scurtescu Sent: Friday, December 03, 2010 4:27 PM To: Manger, James H Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 How about: - keeping the scheme "OAuth2", for both WWW-Authenticate and Authorization - defi

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

nt: Friday, December 03, 2010 5:08 PM To: Eran Hammer-Lahav; Marius Scurtescu Cc: oauth@ietf.org Subject: RE: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 My assumption about the new token_type parameter is that it would be used to communicate the data type of the token -- not t

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

Marius, > How about: > - keeping the scheme "OAuth2", for both WWW-Authenticate and Authorization > - define both as name/value pairs (WWW-Authenticate is already) > - require that one of the pairs be "type=" > > For example: > WWW-Authenticate: OAuth2 type=bearer > Authorization: OAuth2 token=vF9

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

, -- Mike -Original Message- From: Eran Hammer-Lahav [mailto:e...@hueniverse.com] Sent: Thursday, December 02, 2010 12:23 PM To: Marius Scurtescu; Mike Jones Cc: oauth@ietf.org Subject: RE: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > -Original Message- > From:

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

How about: - keeping the scheme "OAuth2", for both WWW-Authenticate and Authorization - define both as name/value pairs (WWW-Authenticate is already) - require that one of the pairs be "type=" For example: WWW-Authenticate: OAuth2 type=bearer Authorization: OAuth2 token=vF9dft4qmT, type=bearer Ma

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

Eran, > What does scheme=basic mean [in a token response]? It means this token response contains credentials that can be used with the HTTP BASIC authentication scheme. Don't try to use the credentials with any other scheme. The access_token value would be used as the user-id, and the token_se

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

token_type should be an HTTP authentication scheme name (eg "BASIC" or "BEARER" or "MAC"...). The core spec (draft-ietf-oauth-v2) should explicitly state this rule. >From the token_type, the client app knows which auth scheme to use. [renaming the parameter from "token_type" to "scheme" would help

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

t;> Of Marius Scurtescu >> Sent: Thursday, December 02, 2010 12:19 PM >> To: Mike Jones >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 >> >> OAuth 2 Protocol Framework v11 introduces a new required parameter: >&

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

> -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Marius Scurtescu > Sent: Thursday, December 02, 2010 12:19 PM > To: Mike Jones > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification d

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

OAuth 2 Protocol Framework v11 introduces a new required parameter: token_type. Should the Bearer Token spec define the value for this parameter for bearer tokens? Are we blocked by the missing section 6.1. (Access Token Types) of the Framework spec? Marius On Wed, Dec 1, 2010 at 11:35 PM, Mi

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

ey are allowed in the Location header which is not an issue. > > > > EHL > > > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Andrea Reginato > Sent: Thursday, December 02, 2010 1:43 AM > To: Mike Jones > Cc: oauth@ietf.org

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 I was reading the specifications, mainly the new related to the security issues. One thing is pointed out in the security summary is related to the fact that the token should not be in the URL. So, here come some

Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

I was reading the specifications, mainly the new related to the security issues. One thing is pointed out in the security summary is related to the fact that the token should not be in the URL. So, here come some of my doubts on the the user agent flow, where it is set on the URL fragment. Even mo

[OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

Draft -01 of the OAuth 2.0 Bearer Token specification is now available. This version is intended to accompany OAuth 2.0 draft -11. This draft is based upon the September 3rd preliminary OAuth 2.0 draft by Eran Hammer-Lahav, with