OAuth 2

Monday Session 5 Space I

Conference: IIW10 May 17-19, 2009 this is the complete Complete Set of Notes

Extended discussion will continue athttp://tech.groups.yahoo.com/group/sasl_oauth/

The proposed spec is at http://docs.google.com/View?id=dhjg77m3_0gsn2psdq

We walked through various parts of the proposed spec. There were questions about how it fits in and how SASL fits in to other protocols. The general feeling was it's better to use SASL than to implement OAuth separately in each protocol. It was pointed out that the IETF drafts:


 * 1) draft-lear-ieft-sasl-openid-01.txt
 * 2) draft-wierenga-sasl-saml-00.txt

Both will have useful as they are very similar problems. Interesting questions asked:

How do we sort out what OAuth 2.0 auth flows are supported? Much of this may shake out in the OAuth 2.0 discovery information stuff. If not, then the SASL spec should patch this up until OAuth 2.0 gets there?

Is there anyone out there that want's to do OAuth 1.0a over SASL or will you just go to 2.0 to get SASL? Consensus was that everyone will go to 2.0.

There was a lot of discussion around the question of taking an OAuth token and authenticating a session with it, and the implications of that. Major points of concern still to be hashed out are:

Quite a bit of good feedback.
 * What if you us OAuth an XMPP session that allows password change?
 * Should sessions be limited to token life/expiration?
 * How does does a desktop client get a client_id and secret when desktop clients can't really keep a secret?