> -----Original Message----- > From: Greg Brail [mailto:[email protected]] > Sent: Wednesday, February 10, 2010 9:07 PM > To: Eran Hammer-Lahav; OAuth WG ([email protected]) > Subject: RE: [OAUTH-WG] Which draft to use as a starting point for 'using a > token'? > > Like a lot of people, I think, things are moving along and we're trying to > keep > up. I do have a few more basic questions. > > Like it or not, the concept of a "consumer key" and "access token" is hard- > wired into many developers' perceptions of OAuth, and a major difference > between the two specs is that "ietf-oauth-authentication" retains both > tokens and "http-token-auth" does not.
This was the consensus a few months ago, that is, that when accessing resources, only the token credentials will be used. > Given that today's OAuth-based applications are relying on having two > tokens on each request, how would this work if "ietf-oauth-authentication" > were to be adopted? If a developer or API provider wishes to include some > sort of "consumer key" on each request in addition to the token, how should > that be accomplished? There are many ways (two you listed below), but the easiest is to simply encode that information into the token itself. For example, if before your application issued a consumer key 'asb432' and token 'ffd4f3', it can issue token using the new scheme 'asb432:ffd4f3' (with or without the colon, in plaintext or encoded, etc.). There is really no difference in how to send this information over (in one parameter or two). > API providers usually wish to > track not only the user making a request (which can be inferred from the > token), but also which application was used and which developer wrote that > application. Keep in mind that the client credentials can only be trusted in a few select cases. It is being treated by most services as a hint, not as something to rely on. > Finally, finally this time, would it be possible to have a link to > "draft-hammer- > http-token-auth" on the main OAuth IETF page? Google works fine but still > it'd help. That's for the chairs. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
