Of interest from the [email protected] list...
-------- Original Message -------- Subject: Re: [kitten] Google and SASL OAuth Date: Tue, 18 Sep 2012 10:47:03 -0700 From: Ryan Troll <[email protected]> To: Hannes Tschofenig <[email protected]> CC: [email protected] <[email protected]> Sure. A little history: - The XMPP implementation has been around for quite a while, and used as part of a larger product. When I started looking at SASL/OAuth, this was already available, documentation ready, and about to be announced publicly. Rather than have separate announcements, we merged their announcement with the IMAP/SMTP announcement. - The IMAP/SMTP implementation was started more recently, and is based on version -03 of the spec. In both cases, the mechanism name does not match the spec. This approach allowed us to launch without waiting for the draft, and provides us a simple way to introduce RFC compliance later without breaking any work previously done. Once the draft moves to RFC status, I'm planning on working with the teams to add support for the RFC-defined mechanism. Now that our systems support dealing with the OAuth 2.0 credential, the work should be minimal. As for omitting the user information, your basically looking at why I had originally asked to add this field as Optional -- not all services benefit from it. I'm not familiar enough with our XMPP service to explain why, while our IMAP and SMTP implementations do use it. Bill: Thanks for considering adding the user= field in order to make the move from XOAUTH2 to this standard easier, but I'm not sure it's worth it. If the GS2 header is required, the data is already there, and clients that wish to add OAUTH support to their XOAUTH2 client will simple reformat the request a bit. -R On Tue, Sep 18, 2012 at 10:32 AM, Hannes Tschofenig <[email protected] <mailto:[email protected]>> wrote: Hi Bill, I have only seen the info at this page https://developers.google.com/__talk/jep_extensions/oauth <https://developers.google.com/talk/jep_extensions/oauth> and it does not give me enough details to judge whether there is similarity to the SASL OAuth draft. Ryan, who is on CC, seems to be the lead developer (as I can understand from http://googledevelopers.__blogspot.nl/2012/09/adding-__oauth-20-support-for-imapsmtp.__html <http://googledevelopers.blogspot.nl/2012/09/adding-oauth-20-support-for-imapsmtp.html>). Ryan, can you shed some light on the relationship to OAuth SASL. Of course it would be good to see that work had been re-used and is deployed in Google. I would also be interested to hear the motivation for omitting the user element. Ciao Hannes On 09/18/2012 07:16 PM, William Mills wrote: Google has released XOAUTH2 support which looks like it's based on -03 of the SASL OAuth draft. Since then the user= element has been removed. At this point user can easily be added back in as an optional KV pair. My question is whether we should do that with a "MAY" just to explicitly make the changes to XOAUTH2 implementations be minimal (if any). I'm leaning toward the "working code" argument here. Thoughts? Thanks, -bill _________________________________________________ Kitten mailing list [email protected] <mailto:[email protected]> https://www.ietf.org/mailman/__listinfo/kitten <https://www.ietf.org/mailman/listinfo/kitten>
_______________________________________________ Kitten mailing list [email protected] https://www.ietf.org/mailman/listinfo/kitten
