[OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme'
Hi all, Eran suggested to remove the 'OAuth2' HTTP Authentication Scheme functionality from the specification in his mail from last month: http://www.ietf.org/mail-archive/web/oauth/current/msg05026.html The discussion got off topic pretty quickly with the discussion about OAuth usage for SASL. I couldn't see a strong objection but rather clarifying discussions. Please correct me if I misread your feedback on this issue. So, my current impression is that there is no objection and we confirm the design decision to remove the 'OAuth2' HTTP Authentication Scheme from draft-ietf-oauth-v2. Deadline for feedback: Feb, 10th 2011 Ciao Hannes ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme'
There have been several of us that have objected and several of that have implemented this feature, it's late in the cycle to remove, so I raise the objection. -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 12:11 AM To: oauth@ietf.org Subject: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hi all, Eran suggested to remove the 'OAuth2' HTTP Authentication Scheme functionality from the specification in his mail from last month: http://www.ietf.org/mail-archive/web/oauth/current/msg05026.html The discussion got off topic pretty quickly with the discussion about OAuth usage for SASL. I couldn't see a strong objection but rather clarifying discussions. Please correct me if I misread your feedback on this issue. So, my current impression is that there is no objection and we confirm the design decision to remove the 'OAuth2' HTTP Authentication Scheme from draft-ietf-oauth-v2. Deadline for feedback: Feb, 10th 2011 Ciao Hannes ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme'
Hey Tony, thanks for the feedback. I might have missed the objection. Could you be more specific about who did not want this functionality to be removed? Ciao Hannes On 2/3/2011 5:19 PM, Anthony Nadalin wrote: There have been several of us that have objected and several of that have implemented this feature, it's late in the cycle to remove, so I raise the objection. -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 12:11 AM To: oauth@ietf.org Subject: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hi all, Eran suggested to remove the 'OAuth2' HTTP Authentication Scheme functionality from the specification in his mail from last month: http://www.ietf.org/mail-archive/web/oauth/current/msg05026.html The discussion got off topic pretty quickly with the discussion about OAuth usage for SASL. I couldn't see a strong objection but rather clarifying discussions. Please correct me if I misread your feedback on this issue. So, my current impression is that there is no objection and we confirm the design decision to remove the 'OAuth2' HTTP Authentication Scheme from draft-ietf-oauth-v2. Deadline for feedback: Feb, 10th 2011 Ciao Hannes ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme'
Here's one objection, per my note sent on January 18th: 'OAuth2' HTTP Authentication Scheme: Simply put, dropping this seems like a huge step away from interoperability. As one data point, Microsoft implements this in our WIF OAuth2 protected resource code. All up, clients need a way to authenticate to the protected resource. Also, existing WRAP implementations need this functionality to migrate to OAuth2. For all these reasons, we support retaining this functionality in OAuth2. -- Mike -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 7:31 AM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hey Tony, thanks for the feedback. I might have missed the objection. Could you be more specific about who did not want this functionality to be removed? Ciao Hannes On 2/3/2011 5:19 PM, Anthony Nadalin wrote: There have been several of us that have objected and several of that have implemented this feature, it's late in the cycle to remove, so I raise the objection. -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 12:11 AM To: oauth@ietf.org Subject: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hi all, Eran suggested to remove the 'OAuth2' HTTP Authentication Scheme functionality from the specification in his mail from last month: http://www.ietf.org/mail-archive/web/oauth/current/msg05026.html The discussion got off topic pretty quickly with the discussion about OAuth usage for SASL. I couldn't see a strong objection but rather clarifying discussions. Please correct me if I misread your feedback on this issue. So, my current impression is that there is no objection and we confirm the design decision to remove the 'OAuth2' HTTP Authentication Scheme from draft-ietf-oauth-v2. Deadline for feedback: Feb, 10th 2011 Ciao Hannes ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme'
Perhaps it can be left in for compatibility purposes but declared to be deprecated for new implementations? From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, February 03, 2011 8:06 AM To: Hannes Tschofenig; Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Here's one objection, per my note sent on January 18th: 'OAuth2' HTTP Authentication Scheme: Simply put, dropping this seems like a huge step away from interoperability. As one data point, Microsoft implements this in our WIF OAuth2 protected resource code. All up, clients need a way to authenticate to the protected resource. Also, existing WRAP implementations need this functionality to migrate to OAuth2. For all these reasons, we support retaining this functionality in OAuth2. -- Mike -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 7:31 AM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hey Tony, thanks for the feedback. I might have missed the objection. Could you be more specific about who did not want this functionality to be removed? Ciao Hannes On 2/3/2011 5:19 PM, Anthony Nadalin wrote: There have been several of us that have objected and several of that have implemented this feature, it's late in the cycle to remove, so I raise the objection. -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 12:11 AM To: oauth@ietf.org Subject: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hi all, Eran suggested to remove the 'OAuth2' HTTP Authentication Scheme functionality from the specification in his mail from last month: http://www.ietf.org/mail-archive/web/oauth/current/msg05026.html The discussion got off topic pretty quickly with the discussion about OAuth usage for SASL. I couldn't see a strong objection but rather clarifying discussions. Please correct me if I misread your feedback on this issue. So, my current impression is that there is no objection and we confirm the design decision to remove the 'OAuth2' HTTP Authentication Scheme from draft-ietf-oauth-v2. Deadline for feedback: Feb, 10th 2011 Ciao Hannes ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme'
The problem with your entire statement below is that it doesn't explain how all those important goals listed are actually accomplished by this header as currently defined. Asking again... - Can you please explain how this header helps interoperability? - How does a client use this header to access a protected resource it knows nothing about? - Will these clients fail if the header was not returned and why? - If the Bearer token scheme name changed from OAuth2, would you still be looking to retain the OAuth2 scheme in addition to another Bearer (WWW-Authenticate) scheme? - How do existing WRAP implementations use this header to migrate? My reason for dropping it is based on the fact that the client already knows a protected resource supports OAuth, as well as all the required information needed to successfully obtain an access token (and authenticate). I have not seen a client implementation making an unauthenticated request and then trying again based on the WWW-Authenticate: OAuth2 challenge. The main reason is that being informed that a protected resource support OAuth2 provides no help in actually getting a suitable access token (or client credentials for that matter). If the OAuth2 scheme is a forward looking framework, it is premature standardization of something we clearly do not understand yet or have consensus on. If it is the challenge half of the bearer token proposal (as it currently seem to be), it should be defined there (once we resolve the scheme name issue). But it is unclear to me what you are proposing this header to represent. And last question: - If a protected resource supports only MAC type tokens, what does a 401 response look like? Does it include an OAuth2 challenge, a MAC challenge, both, or none? These are the core *technical* questions that MUST be answered if we are to retain this header definition. This is not about process, stability, existing deployment, or any other non-technical arguments. EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, February 03, 2011 8:06 AM To: Hannes Tschofenig; Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Here's one objection, per my note sent on January 18th: 'OAuth2' HTTP Authentication Scheme: Simply put, dropping this seems like a huge step away from interoperability. As one data point, Microsoft implements this in our WIF OAuth2 protected resource code. All up, clients need a way to authenticate to the protected resource. Also, existing WRAP implementations need this functionality to migrate to OAuth2. For all these reasons, we support retaining this functionality in OAuth2. -- Mike -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 7:31 AM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hey Tony, thanks for the feedback. I might have missed the objection. Could you be more specific about who did not want this functionality to be removed? Ciao Hannes On 2/3/2011 5:19 PM, Anthony Nadalin wrote: There have been several of us that have objected and several of that have implemented this feature, it's late in the cycle to remove, so I raise the objection. -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, February 03, 2011 12:11 AM To: oauth@ietf.org Subject: [OAUTH-WG] Hum about 'Removal: OAuth2 HTTP Authentication Scheme' Hi all, Eran suggested to remove the 'OAuth2' HTTP Authentication Scheme functionality from the specification in his mail from last month: http://www.ietf.org/mail-archive/web/oauth/current/msg05026.html The discussion got off topic pretty quickly with the discussion about OAuth usage for SASL. I couldn't see a strong objection but rather clarifying discussions. Please correct me if I misread your feedback on this issue. So, my current impression is that there is no objection and we confirm the design decision to remove the 'OAuth2' HTTP Authentication Scheme from draft-ietf-oauth-v2. Deadline for feedback: Feb, 10th 2011 Ciao Hannes ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth