I think the discussion around the version number is completely misguided
because we don't have a basic agreement on what the hell the version is even
for. This means that based on your personal interpretation of what it means,
you come to a different conclusion. Just because we change the specification,
doesn't mean we should change the version - we need to first agree what it is
for. For those new here, at the OAuth Summit last year we had a wide consensus
not to change the oauth_version value, even with proposals to add new
parameters, error codes, etc. This is not much different.
---
There are 4 elements of the protocol with a version associated with them:
* The specification document - this tells readers that there is a new document.
* The authorization flow used to obtain an Access Token - this is what we are
changing (getting an Access Token).
* The authentication method - the way in which signed OAuth requests are made
and transmitted (using an Access Token).
* The signature method - the way in which the signature value is calculated.
The versioning of each of these must be addressed separately or we will be
breaking stuff for no reason (like 2-legged clients).
* The specification document - give it a new title (without overlapping with
any other version indicator). I have moved away from using version numbers for
specifications I write, and am now advocating using dates or revisions instead.
* The authorization flow used to obtain an Access Token - we don't have a way
to indicate which flow is being used, and the oauth_version parameter was not
put in the specification for this (I know because I put it there). There are
two obvious ways to address this: use different endpoints (with optional
discovery) or add a new parameter (something like oauth_flow) and simply name
different flows (or different versions of flow) with different names.
* The authentication method - this is what the current oauth_version is for. It
provides a version for the combination of parameter used (nonce, timestamp,
signature method, signature, token, etc.), as well as how OAuth parameters are
encoded, transmitted, and verified.
* The signature method - each method has a name and if we ever want to change
them or add new ones, we simply give it a new name.
---
The Core 1.0 specification structure is shit. It completely blur the lines
between these 4 elements which is why most of you are misguided in advocating
for a version change. If you read my editor's cut version of the specification,
you'll see that the oauth_version parameter is clearly part of how to make an
authenticated OAuth request and not about how to get an Access Token. The fact
the current document title uses the same indicator ("1.0") as the version of
the authentication method is also not helping.
We need to address two changes:
* A new document - I think a simple "Revision A" in the title is enough to
indicate that the specification language has changed. If you feel this is not
enough please suggest a stronger language that is not a new version number. We
cannot increment the document version number without also incrementing the
parameter value or we will completely confuse everyone. In the future, there
will not be a new document called OAuth Core with a new numerical version
number (like OAuth 2.0). And before you go and argue, take a look at HTTP 1.1 -
it has multiple (different) specifications (RFCs) with the same protocol
version number and no one seems confused...
* A new authorization flow - we are basically adding a new workflow to replace
the existing 3-steps flow. It is very easy to identify which flow is being used
(see below) and there is no *need* to add an explicit indicator that a new flow
is being used by a client. For this reason I suggest we don't add anything new
at this point. I would like to look into this further in the future and find
better ways to support multiple authorization flows, but this is probably not
the time to address it.
To identify which flow a client is using:
1. Use two different endpoint URLs! Developers will have to go and make code
changes and if they use a library, will have to reconfigure it to indicate
which flow they are using. No application is expected to use both flows. This
means providers supporting multiple versions for some time as part of their
transition can simply use different endpoints for each revision. In the future,
discovery will make this automated - and this is the exact direction the
discovery work has been advocating for multiple flows.
2. Use the presence of an oauth_callback parameter as indicator which version
is being used. If you are not going to support dynamic callbacks see #1.
3. Add your own flag. This is pointless and wasteful but if it makes you feel
better...
---
If it wasn't clear, my vote is to give the specification a new title (Revision
A) and leave the oauth_version unchanged. Changing the version breaks stuff and
so far no one has demonstrated any *real* value in doing so. "Confusing" is not
a technical argument and this is an technical document.
EHL
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
