[Standards] Fwd: Re: [kitten] Google and SASL OAuth
stpeter at stpeter.im
Tue Sep 18 17:57:11 UTC 2012
Of interest from the kitten at ietf.org list...
-------- Original Message --------
Subject: Re: [kitten] Google and SASL OAuth
Date: Tue, 18 Sep 2012 10:47:03 -0700
From: Ryan Troll <rtroll at googlers.com>
To: Hannes Tschofenig <hannes.tschofenig at gmx.net>
CC: kitten at ietf.org <kitten at ietf.org>
Sure. A little history:
- The XMPP implementation has been around for quite a while, and used as
part of a larger product. When I started looking at SASL/OAuth, this
was already available, documentation ready, and about to be announced
publicly. Rather than have separate announcements, we merged their
announcement with the IMAP/SMTP announcement.
- The IMAP/SMTP implementation was started more recently, and is based
on version -03 of the spec.
In both cases, the mechanism name does not match the spec. This
approach allowed us to launch without waiting for the draft, and
provides us a simple way to introduce RFC compliance later without
breaking any work previously done.
Once the draft moves to RFC status, I'm planning on working with the
teams to add support for the RFC-defined mechanism. Now that our
systems support dealing with the OAuth 2.0 credential, the work should
As for omitting the user information, your basically looking at why I
had originally asked to add this field as Optional -- not all services
benefit from it. I'm not familiar enough with our XMPP service to
explain why, while our IMAP and SMTP implementations do use it.
Thanks for considering adding the user= field in order to make the move
from XOAUTH2 to this standard easier, but I'm not sure it's worth it.
If the GS2 header is required, the data is already there, and clients
that wish to add OAUTH support to their XOAUTH2 client will simple
reformat the request a bit.
On Tue, Sep 18, 2012 at 10:32 AM, Hannes Tschofenig
<hannes.tschofenig at gmx.net <mailto:hannes.tschofenig at gmx.net>> wrote:
I have only seen the info at this page
<https://developers.google.com/talk/jep_extensions/oauth> and it
does not give me enough details to judge whether there is similarity
to the SASL OAuth draft.
Ryan, who is on CC, seems to be the lead developer (as I can
Ryan, can you shed some light on the relationship to OAuth SASL.
Of course it would be good to see that work had been re-used and is
deployed in Google. I would also be interested to hear the
motivation for omitting the user element.
On 09/18/2012 07:16 PM, William Mills wrote:
Google has released XOAUTH2 support which looks like it's based
of the SASL OAuth draft. Since then the user= element has been
removed. At this point user can easily be added back in as an
KV pair. My question is whether we should do that with a "MAY"
explicitly make the changes to XOAUTH2 implementations be
minimal (if any).
I'm leaning toward the "working code" argument here. Thoughts?
Kitten mailing list
Kitten at ietf.org <mailto:Kitten at ietf.org>
-------------- next part --------------
Kitten mailing list
Kitten at ietf.org
More information about the Standards