[Standards] Fwd: Re: [kitten] Google and SASL OAuth

Peter Saint-Andre stpeter at stpeter.im
Tue Sep 18 17:57:11 UTC 2012

Of interest from the kitten at ietf.org list...

-------- Original Message --------
Subject: 	Re: [kitten] Google and SASL OAuth
Date: 	Tue, 18 Sep 2012 10:47:03 -0700
From: 	Ryan Troll <rtroll at googlers.com>
To: 	Hannes Tschofenig <hannes.tschofenig at gmx.net>
CC: 	kitten at ietf.org <kitten at ietf.org>

Sure.  A little history:

- The XMPP implementation has been around for quite a while, and used as
part of a larger product.  When I started looking at SASL/OAuth, this
was already available, documentation ready, and about to be announced
publicly.  Rather than have separate announcements, we merged their
announcement with the IMAP/SMTP announcement.

- The IMAP/SMTP implementation was started more recently, and is based
on version -03 of the spec.

In both cases, the mechanism name does not match the spec.  This
approach allowed us to launch without waiting for the draft, and
provides us a simple way to introduce RFC compliance later without
breaking any work previously done.

Once the draft moves to RFC status, I'm planning on working with the
teams to add support for the RFC-defined mechanism.  Now that our
systems support dealing with the OAuth 2.0 credential, the work should
be minimal.

As for omitting the user information, your basically looking at why I
had originally asked to add this field as Optional -- not all services
benefit from it.  I'm not familiar enough with our XMPP service to
explain why, while our IMAP and SMTP implementations do use it.


Thanks for considering adding the user= field in order to make the move
from XOAUTH2 to this standard easier, but I'm not sure it's worth it.
 If the GS2 header is required, the data is already there, and clients
that wish to add OAUTH support to their XOAUTH2 client will simple
reformat the request a bit.


On Tue, Sep 18, 2012 at 10:32 AM, Hannes Tschofenig
<hannes.tschofenig at gmx.net <mailto:hannes.tschofenig at gmx.net>> wrote:

    Hi Bill,

    I have only seen the info at this page
    <https://developers.google.com/talk/jep_extensions/oauth> and it
    does not give me enough details to judge whether there is similarity
    to the SASL OAuth draft.

    Ryan, who is on CC, seems to be the lead developer (as I can
    understand from


    Ryan, can you shed some light on the relationship to OAuth SASL.

    Of course it would be good to see that work had been re-used and is
    deployed in Google. I would also be interested to hear the
    motivation for omitting the user element.


    On 09/18/2012 07:16 PM, William Mills wrote:

        Google has released XOAUTH2 support which looks like it's based
        on -03
        of the SASL OAuth draft.  Since then the user= element has been
        removed.  At this point user can easily be added back in as an
        KV pair.  My question is whether we should do that with a "MAY"
        just to
        explicitly make the changes to XOAUTH2 implementations be
        minimal (if any).

        I'm leaning toward the "working code" argument here.  Thoughts?



        Kitten mailing list
        Kitten at ietf.org <mailto:Kitten at ietf.org>

-------------- next part --------------
Kitten mailing list
Kitten at ietf.org

More information about the Standards mailing list