HTTP MAC Authentication Scheme from Eran Hammer-Lahav on 2011-05-09 (ietf-http-wg@w3.org from April to June 2011)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Mon, 9 May 2011 12:22:23 -0700
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
CC: OAuth WG <oauth@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ben Adida <ben@adida.net>, "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET>

(Please discuss this draft on the Apps-Discuss <apps-discuss@ietf.org> mailing list)

http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token

The draft includes:

* An HTTP authentication scheme using a MAC algorithm to authenticate requests (via a pre-arranged MAC key).
* An extension to the Set-Cookie header, providing a method for associating a MAC key with a session cookie.
* An OAuth 2.0 binding, providing a method of returning MAC credentials as an access token.

Some background: OAuth 1.0 introduced an HTTP authentication scheme using HMAC for authenticating an HTTP request with partial cryptographic protection of the HTTP request (namely, the request URI, host, and port). The OAuth 1.0 scheme was designed for delegation-based use cases, but is widely "abused" for simple client-server authentication (the poorly named 'two-legged' use case). This functionality has been separated from OAuth 2.0 and has been reintroduced as a standalone, generally applicable HTTP authentication scheme called MAC.

Comments and feedback is greatly appreciated.

EHL

Received on Monday, 9 May 2011 19:23:03 UTC