Re: [OAUTH-WG] Why not use a server-supplied nonce (was: HTTP MAC Authentication Scheme)

On Fri, Jun 10, 2011 at 3:19 PM, Eran Hammer-Lahav wrote: >> -Original Message- >> From: Robert Sayre [mailto:say...@gmail.com] >> Sent: Friday, June 10, 2011 11:37 AM >> To: Adam Barth >> Cc: Eran Hammer-Lahav; OAuth WG >> Subject: Re: Why not use a server-supplied nonce (was: HTTP MAC >>

Re: [OAUTH-WG] Why not use a server-supplied nonce (was: HTTP MAC Authentication Scheme)

> -Original Message- > From: Robert Sayre [mailto:say...@gmail.com] > Sent: Friday, June 10, 2011 11:37 AM > To: Adam Barth > Cc: Eran Hammer-Lahav; OAuth WG > Subject: Re: Why not use a server-supplied nonce (was: HTTP MAC > Authentication Scheme) > > On Fri, Jun 10, 2011 at 10:51 AM, A

Re: [OAUTH-WG] consistency of token param name in bearer token type

Extensibility in authentication schemes is a bad thing, given how they are deployed and the difficulty of changing them. No existing authentication scheme is extensible (explicitly). EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of M

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

Nico, > On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones > wrote: > > What issues, specifically. (Messages are all over the place and I > > don’t know exactly what issues you’re raising. Is it with the > > approach we’re proposing or something else?) > > The fundamental issue is that protecting

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

On Fri, Jun 10, 2011 at 2:16 PM, Adam Barth wrote: > On Fri, Jun 10, 2011 at 10:36 AM, Nico Williams wrote: >> The fundamental issue is that protecting the cookie alone is not >> enough.  On open wifi networks it's a fair assumption that the >> difficulty of active attacks is about the same as th

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

On Fri, Jun 10, 2011 at 10:36 AM, Nico Williams wrote: > [Dropped a few lists.] > > On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones wrote: >> What issues, specifically.  (Messages are all over the place and I don’t >> know exactly what issues you’re raising.  Is it with the approach we’re >> propo

Re: [OAUTH-WG] Proposed OAuth Extensions

Shane, We have been working on openID Connect (formerly known as openID AB) for some time. If there are standard ways to do things in OAuth 2.0 that we can reuse then it saves us from inventing custom extensions for openID Connect. We have identified the need to request multiple tokens as one

Re: [OAUTH-WG] Why not use a server-supplied nonce (was: HTTP MAC Authentication Scheme)

On Fri, Jun 10, 2011 at 11:36 AM, Robert Sayre wrote: > On Fri, Jun 10, 2011 at 10:51 AM, Adam Barth wrote: >> On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre wrote: >>> Let's call my proposed addition the "opaque" parameter. The client >>> sends it back unchanged, just like the id. >> >> That al

Re: [OAUTH-WG] Why not use a server-supplied nonce (was: HTTP MAC Authentication Scheme)

On Fri, Jun 10, 2011 at 10:51 AM, Adam Barth wrote: > On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre wrote: >> Let's call my proposed addition the "opaque" parameter. The client >> sends it back unchanged, just like the id. > > That already exists in the scheme.  It's just the value of the cookie

Re: [OAUTH-WG] Why not use a server-supplied nonce (was: HTTP MAC Authentication Scheme)

On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre wrote: > Let's call my proposed addition the "opaque" parameter. The client > sends it back unchanged, just like the id. That already exists in the scheme. It's just the value of the cookie. > This is just one use of an opaque field that servers mi

Re: [OAUTH-WG] Why not use a server-supplied nonce (was: HTTP MAC Authentication Scheme)

On Thu, Jun 9, 2011 at 10:25 PM, Adam Barth wrote: > > What happens when the client wants to send more than one request at a > time to the server?  For example, when loading a web page, browsers > often open multiple sockets to send multiple request in parallel to > improve performance. In my exa

Re: [OAUTH-WG] consistency of token param name in bearer token type

On Fri, Jun 10, 2011 at 9:34 AM, John Kemp wrote: > George, > > On Jun 10, 2011, at 4:11 PM, George Fletcher wrote: > >> I definitely don't want to change the Authorization header naming scheme. I >> believe it should stay 'Bearer' because that's what the token is. We could >> make it... >> >> A

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

[Dropped a few lists.] On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones wrote: > What issues, specifically.  (Messages are all over the place and I don’t > know exactly what issues you’re raising.  Is it with the approach we’re > proposing or something else?) The fundamental issue is that protecti

Re: [OAUTH-WG] consistency of token param name in bearer token type

I think it's vital to have the GET and POST parameters make sense to every developer. I worry less about the authorization header since a developer implementing it will honestly be a stronger engineer. Here's what I said earlier in the thread about my motivation: > Did a full read through of draft

Re: [OAUTH-WG] consistency of token param name in bearer token type

Don't care. Will never use it. :-) EHL > -Original Message- > From: David Recordon [mailto:record...@gmail.com] > Sent: Friday, June 10, 2011 1:20 AM > To: George Fletcher; Eran Hammer-Lahav; Doug Tangren > Cc: Mike Jones; paul Tarjan; oauth@ietf.org; Marius Scurtescu > Subject: Re: [OAUT

Re: [OAUTH-WG] consistency of token param name in bearer token type

George, On Jun 10, 2011, at 4:11 PM, George Fletcher wrote: > I definitely don't want to change the Authorization header naming scheme. I > believe it should stay 'Bearer' because that's what the token is. We could > make it... > > Authorization: Bearer access_token=vF9dft4qmT > > If that hel

Re: [OAUTH-WG] consistency of token param name in bearer token type

+1 :) On 6/10/11 9:23 AM, Doug Tangren wrote: I hope hope that if it changes again this time, it doesn't change again :)! ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] consistency of token param name in bearer token type

-Doug Tangren http://lessis.me On Fri, Jun 10, 2011 at 4:20 AM, David Recordon wrote: > George, Doug and Eran are you alright with the Bearer token spec using > the parameter name "access_token" as well? > > Consistency is good and less confusing for developers writing generic client libraries.

Re: [OAUTH-WG] consistency of token param name in bearer token type

I definitely don't want to change the Authorization header naming scheme. I believe it should stay 'Bearer' because that's what the token is. We could make it... Authorization: Bearer access_token=vF9dft4qmT If that helps with consistency. I don't think we should be associating the term 'acce

Re: [OAUTH-WG] consistency of token param name in bearer token type

What does this mean for the HTTP Authorization header naming scheme for bearer tokens? As I understand this decision, we are discussing whether to standardize on the name "access_token" when a bearer token is sent as either a URL query parameter, or in a form POSTed body? Currently the HTTP A

Re: [OAUTH-WG] consistency of token param name in bearer token type

Yes, that's fine with me. Thanks, George On 6/10/11 4:20 AM, David Recordon wrote: George, Doug and Eran are you alright with the Bearer token spec using the parameter name "access_token" as well? On Wed, Jun 8, 2011 at 4:50 PM, Marius Scurtescu wrote: On Wed, Jun 1, 2011 at 1:14 PM, Mike J

Re: [OAUTH-WG] consistency of token param name in bearer token type

George, Doug and Eran are you alright with the Bearer token spec using the parameter name "access_token" as well? On Wed, Jun 8, 2011 at 4:50 PM, Marius Scurtescu wrote: > On Wed, Jun 1, 2011 at 1:14 PM, Mike Jones > wrote: >> If you can drive a consensus decision for the name "access_token",