(sorry for the fragmented post) And to be clear, my feedback is in no way an endorsement of including this text. I am still strongly opposed to it for the primary reason that it is none of this WG business in general, and the OAuth specification in particular, to invent new HTTP authentication schemes. My feedback is provided in case there is overwhelming support for inclusion, to make it less damaging, if I'm instructed by the chairs to include it (and yes, I will require clear instructions from the chairs before I touch this).
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Eran Hammer-Lahav > Sent: Thursday, April 14, 2011 3:47 PM > To: Phil Hunt; Peter Saint-Andre > Cc: oauth > Subject: Re: [OAUTH-WG] Revised Section 3 > > My current project uses MAC authentication for client authentication at the > token endpoint. I would be helpful if people explicitly express their views on > the proposed text, and whether they support or object to it. > > EHL > > > -----Original Message----- > > From: Phil Hunt [mailto:[email protected]] > > Sent: Thursday, April 14, 2011 3:41 PM > > To: Peter Saint-Andre > > Cc: Eran Hammer-Lahav; oauth > > Subject: Re: [OAUTH-WG] Revised Section 3 > > > > +1 > > > > There is the issue of how a client app 'bootstraps' its own credential. It > could > > be that it authenticates by some other RFC (like 2617 Basic Auth), or some > > other method. E.g. would be nice to have a way for client apps to obtain > > either the equivalent of client_assertion, or even a MAC token > representing > > just the client security context (a turtles-all-the-way-down approach). > > > > Regardless, I agree this isn't part of the core OAuth specification. > > > > Phil > > [email protected] > > > > > > > > > > On 2011-04-14, at 3:06 PM, Peter Saint-Andre wrote: > > > > > On 4/14/11 3:56 PM, Eran Hammer-Lahav wrote: > > > > > > <snip/> > > > > > >> In practice, this invents a new HTTP authentication scheme. > > > > > > Eran, during the WG meeting in Prague you said the same thing, and I > > > tend to agree. Yes, client authentication is a good thing, but given > > > that OAuth happens over HTTP I don't see why we can't just use > > > existing HTTP authentication schemes. If BASIC and DIGEST aren't good > > > enough, then someone needs to develop a new HTTP authentication > > > scheme. However that's not a job for the OAuth WG as far as I can see... > > > > > > Peter > > > > > > -- > > > Peter Saint-Andre > > > https://stpeter.im/ > > > > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
