Loading ...
Sorry, an error occurred while loading the content.

Use only bearer tokens?

Expand Messages
  • Bill Mills
    Any objection to using only bearer tokens for SASL OAuth?
    Message 1 of 6 , May 21, 2010
    View Source
    • 0 Attachment
      Any objection to using only bearer tokens for SASL OAuth?
    • Allen Tom
      My general philosophy regarding bearer tokens is that if the underlying data is accessible to the user¹s browser (like via a WebMail interface) - then that
      Message 2 of 6 , May 21, 2010
      View Source
      • 0 Attachment
        Re: [sasl_oauth] Use only bearer tokens? My general philosophy regarding bearer tokens is that if the underlying data is accessible to the user’s browser (like via a WebMail interface) - then that implies that HTTP Cookies are sufficient to authenticate the request, and therefore bearer tokens are equivalent.

        Allen



        On 5/21/10 8:23 AM, "Bill Mills" <wmills@...> wrote:


         
         
           

        Any objection to using only bearer tokens for SASL OAuth?

         
           


      • William Mills
        That works for the Mail case perhaps, but only if you also have a webmail experience, admittedly most do. Is this generally true for everywhere we want to use
        Message 3 of 6 , May 21, 2010
        View Source
        • 0 Attachment
          That works for the Mail case perhaps, but only if you also have a webmail experience, admittedly most do.  Is this generally true for everywhere we want to use OAuth over SASL?


          From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Allen Tom
          Sent: Friday, May 21, 2010 8:40 AM
          To: sasl_oauth@yahoogroups.com
          Subject: Re: [sasl_oauth] Use only bearer tokens?

           

          My general philosophy regarding bearer tokens is that if the underlying data is accessible to the user’s browser (like via a WebMail interface) - then that implies that HTTP Cookies are sufficient to authenticate the request, and therefore bearer tokens are equivalent.

          Allen

          On 5/21/10 8:23 AM, "Bill Mills" <wmills@yahoo- inc.com> wrote:

          Any objection to using only bearer tokens for SASL OAuth?
          .

        • Brian Eaton
          We re fine with bearer tokens as well.
          Message 4 of 6 , May 21, 2010
          View Source
          • 0 Attachment
            We're fine with bearer tokens as well.

            On Fri, May 21, 2010 at 8:23 AM, Bill Mills <wmills@...> wrote:
             

            Any objection to using only bearer tokens for SASL OAuth?


          • Anthony Nadalin
            Just a little concerned about how the bearer tokens are bound, in the case of cookies I can elect not to support them if I don t trust the use of them, in
            Message 5 of 6 , May 23, 2010
            View Source
            • 0 Attachment

              Just a little concerned about how the bearer tokens are bound, in the case of cookies I can elect not to support them if I don’t trust the use of them, in bearer tokens I would want a way to have them bound to the session

               

              From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Allen Tom
              Sent: Friday, May 21, 2010 8:40 AM
              To: sasl_oauth@yahoogroups.com
              Subject: Re: [sasl_oauth] Use only bearer tokens?

               

               

              My general philosophy regarding bearer tokens is that if the underlying data is accessible to the user’s browser (like via a WebMail interface) - then that implies that HTTP Cookies are sufficient to authenticate the request, and therefore bearer tokens are equivalent.

              Allen



              On 5/21/10 8:23 AM, "Bill Mills" <wmills@...> wrote:


               
               
                 

              Any objection to using only bearer tokens for SASL OAuth?

               
                 

            • Bill Mills
              The bearer tokens can be scoped. We don t have a session binding construct really, although you could implement one yourself by putting some kind of nonce in
              Message 6 of 6 , May 24, 2010
              View Source
              • 0 Attachment
                The bearer tokens can be scoped. We don't have a session binding construct really, although you could implement one yourself by putting some kind of nonce in the token and then keeping track of that. More likely you will issue short lived access tokens to achieve this.

                If you are wanting to bind a particular refresh token to a specific client then you enforce the client restriction on the refresh token call.

                --- In sasl_oauth@yahoogroups.com, Anthony Nadalin <tonynad@...> wrote:
                >
                > Just a little concerned about how the bearer tokens are bound, in the case of cookies I can elect not to support them if I don't trust the use of them, in bearer tokens I would want a way to have them bound to the session
                >
                > From: sasl_oauth@yahoogroups.com [mailto:sasl_oauth@yahoogroups.com] On Behalf Of Allen Tom
                > Sent: Friday, May 21, 2010 8:40 AM
                > To: sasl_oauth@yahoogroups.com
                > Subject: Re: [sasl_oauth] Use only bearer tokens?
                >
                >
                >
                > My general philosophy regarding bearer tokens is that if the underlying data is accessible to the user's browser (like via a WebMail interface) - then that implies that HTTP Cookies are sufficient to authenticate the request, and therefore bearer tokens are equivalent.
                >
                > Allen
                >
                >
                >
                > On 5/21/10 8:23 AM, "Bill Mills" <wmills@...> wrote:
                >
                >
                >
                >
                >
                > Any objection to using only bearer tokens for SASL OAuth?
                >
              Your message has been successfully submitted and would be delivered to recipients shortly.