Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

Fri, 14 Jan 2011 17:41:54 -0800 

Thanks James,

I wanted to provide feedback on your comments.

You wrote "token_type should be an HTTP authentication scheme name".  I 
disagree with this.  The token_type is intended be used to identify the type of 
the token, meaning that it is likely to take on values like:
        SWT
        JWT
        urn:oasis:names:tc:SAML:1.0:assertion
        urn:oasis:names:tc:SAML:2.0:assertion
        http://service.example.com/oauth/custom_token_format

You wrote "the bearer spec (draft-ietf-oauth-v2-bearer) must not use the 
'OAuth2' scheme name. It needs its own scheme name, eg 'BEARER'".  I also 
disagree with this.  For the same reason that it was appropriate for draft 11 
to use the scheme name "OAuth", it is appropriate for the bearer token spec to 
use the scheme name "OAuth2" for the corresponding text.  In the interest of 
completing the specification, I'm not prone to introduce a breaking change by 
modifying the scheme name at this time.

Working group feedback is welcome.

                                -- Mike

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of 
Manger, James H
Sent: Thursday, December 02, 2010 3:42 PM
To: [email protected]
Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01

token_type should be an HTTP authentication scheme name (eg "BASIC" or "BEARER" 
or "MAC"...).
The core spec (draft-ietf-oauth-v2) should explicitly state this rule.
>From the token_type, the client app knows which auth scheme to use.
[renaming the parameter from "token_type" to "scheme" would help.]

Defining token_type to be an HTTP authentication scheme name effectively 
defines how OAuth2 can deliver credentials for auth schemes that are 
independent of OAuth2, eg schemes specified before OAuth2 existed. It 
eliminates the need for additional specs just to provide a link from OAuth2 to 
every authentication mechanism.

Some auth mechanisms for which OAuth2 could deliver credentials are not 
actually HTTP authentication schemes. Eg OAuth2 delivering an id/secret to use 
in TLS-PSK (pre-shared key). For that you will need a small additional spec to 
define a token_type value -- ie define a pseudo-HTTP-auth-scheme-name.

P.S. Related to this, the bearer spec (draft-ietf-oauth-v2-bearer) must not use 
the "OAuth2" scheme name. It needs its own scheme name, eg "BEARER".


--
James Manger
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to