On 4/8/10 1:10 PM, "Torsten Lodderstedt" <[email protected]> wrote:
> Am 08.04.2010 16:31, schrieb Eran Hammer-Lahav:
>> While I agree that the spec would be much cleaner with only HTTP header
>> support, and have tried that approach before, in practice it will cause
>> significant adoption problems.
>>
>
> Can you please give details on that? You removed query and post
> parameters for signed requests. Doesn't this cause adoption problems, too?
There was consensus that signatures are advanced feature where the need for
these methods was low. That is being questioned now.
>> I rather add support for query and post parameters (we are really talking
>> about a single parameter, oauth_token, outside the HTTP header), and in a
>> few year deprecate it in OAuth 3.0. The benefit of these features is that
>>
>
> I didn't argue against passing tokens as parameters. I just said: "don't
> include it in the standard, please". I still don't see any benefit -
> just confusion.
I think the majority of working group members would argue that forcing
developers to read another spec for a feature they already have in OAuth
1.0a and will rely upon in OAuth 2.0 is more confusing.
> Moreover as I already pointed out, query parameters are dangerous from a
> security standpoint. Do you really want to standardize something like
> that? Or do you want to improve internet security?
Not always. We will document the issues and offer suggestions on how to
mitigate that. The entire spec relies heavily on implementation details and
this falls right into that.
>> they allow existing browsers to deploy OAuth *today*.
>>
>
> I don't understand this. Would you please give examples? Browsers today
> natively support BASIC/DIGEST/SPNEGO with authorization headers, they
> could do this the same way for OAUTH.
Facebook and Yahoo! (as an example) have about 400-500 million users today.
They want to deploy OAuth 2.0 within a few months. Clearly expecting these
users to upgrade their browser to a version not likely to be available for a
year isn't practical.
>> As for the document structure, it is too early to tell. With OAuth 1.0a I
>> ended shuffling the sections in draft -09... The spec has to tell a story.
>>
>
> What does this mean with respect to my proposal?
That it is too early for me to use it. I focus on document structure later
in the process. That's how I write.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
