With the core drafts finally settling in, I think it's time for the WG to look into a widely-used usecase of OAuth 1.0 that's not currently addressed directly by OAuth2: classical 2-legged OAuth 1.0, or tokenless signed http fetch.
People use this method today to replace developer key credentials, but also to ensure validity of parameters in the request. Tokens (especially signed tokens) can help in the first case, but not so much in the second, unless I'm missing a key feature of JWT. I'm personally fine with profiling the 1.0 signature method for use with generic HTTP messages, apart from OAuth and tokens entirely. I'd be happier with a system that had an explicit signature base string (such as what Brian Eaton proposed ages ago) instead of the blind magic that OAuth 1.0 uses. I personally wouldn't know where to start with normative language for something like this, as I am not a signatures/crypto guy. But I'd be happy to help edit such a document and work on profiles and use cases for this. My question for the WG is then: are signed HTTP fetch messages something we want to take on, and who would be willing/able to edit such a document? -- Justin _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
