IETF Logo Mail Archive

[OAUTH-WG] native app support (was: Next draft)

Marius Scurtescu <mscurtescu@google.com> Tue, 08 June 2010 17:46 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0AB323A69EF for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 10:46:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.562
X-Spam-Level:
X-Spam-Status: No, score=-99.562 tagged_above=-999 required=5 tests=[AWL=-0.185, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5HwxsyDeCZL for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 10:46:43 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id C497C3A69CD for <oauth@ietf.org>; Tue, 8 Jun 2010 10:46:42 -0700 (PDT)
Received: from kpbe20.cbf.corp.google.com (kpbe20.cbf.corp.google.com [172.25.105.84]) by smtp-out.google.com with ESMTP id o58HkeXA001159 for <oauth@ietf.org>; Tue, 8 Jun 2010 10:46:41 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1276019201; bh=6mO8gBMg58yZZdiMYUAG+apeOm0=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type: Content-Transfer-Encoding; b=swkz9/tT0RflN7zjLREr28DRdqp+FH2Pz4uu0/Z8QZolT+TXm4O2duukErukTlzYS a9IfGOK/lHTrf1DDsgGHA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:from:date:message-id:subject:to:cc: content-type:content-transfer-encoding; b=uzcNDD4IfdO/bItHIRWhV5Pd4Cz/h+DnMdoIzoWOegJeo6Z/2QA2SAxpbGpenGcGD xv7+E6P3oGEpCcP2EX50A==
Received: from pxi15 (pxi15.prod.google.com [10.243.27.15]) by kpbe20.cbf.corp.google.com with ESMTP id o58HkMTt017002 for <oauth@ietf.org>; Tue, 8 Jun 2010 10:46:40 -0700
Received: by pxi15 with SMTP id 15so1872214pxi.16 for <oauth@ietf.org>; Tue, 08 Jun 2010 10:46:39 -0700 (PDT)
Received: by 10.141.22.19 with SMTP id z19mr13476008rvi.250.1276019199642; Tue, 08 Jun 2010 10:46:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.141.124.13 with HTTP; Tue, 8 Jun 2010 10:46:19 -0700 (PDT)
From: Marius Scurtescu <mscurtescu@google.com>
Date: Tue, 08 Jun 2010 10:46:19 -0700
Message-ID: <AANLkTikkG3T_DYKhjMbyYayi7SzZel3RJXFSguxq7SSZ@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: [OAUTH-WG] native app support (was: Next draft)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 17:46:44 -0000

In order to properly support native applications I suggest the
following changes:

1. client_name

In all flows when client_id is sent also allow for an optional
client_name. This optional parameter is meant as a display name for
the client, and it is useful in all unregistered cases, not only for
native apps.

If the client is unregistered then most likely the authz server will
require that client_id be set to a predefined value like "anonymous".
The approval page does need a client name so it can tell the user who
it is granting access for.


2. optional redirect_uri (default result page)

Some native apps do not have a redirect_uri, as a result two things are needed:

2.1 Either make redirect_uri optional or define a standard value that
signals that the client does not have such a page.

2.2 The authz server must supply a default result page, if there is no
redirect_uri. Also, this page should put the verification code and the
client state (code and state) in the page title in a standard way such
that the native app can extract them from the window title. WRAP
defined how the title should be formed.


3. device flow should be able to start user-agent

The device flow can be used by native apps in which case there is a
browser on the device. This flow should be able to start a browser and
directly take the user to the end-user verification URI with the user
code added as a query parameter (so the user is not required to do any
manual entry). This is sort of possible right now, but the handler
behind verification_uri must expect an optional user_code (in which
case it should not prompt the user).


4. section with guidance for native apps

I think the spec needs a section that explains how native apps can be
used with OAuth 2. Not sure if it is worth getting into pros and cons
for each flow, but all flows can be used.


Marius



On Mon, Jun 7, 2010 at 8:44 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> I still need to catch up on the list (I took a little break). I plan to post a new draft this week incorporating many editorial changes discussed at the interim meeting. I am also planning of removing some non-stable features (such as discovery and signatures) from the draft and moving them to new drafts. As soon as -06 is published, I plan to issue informal last-calls for each section so that we can lock down the normative portions of the draft.
>
> If you have any must-happen changes for -05 that were not already posted to the list, please let me know.
>
> EHL
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email