[OAUTH-WG] CORS and public vs. confidential clients
Bill Burke <bburke@redhat.com> Thu, 27 March 2014 15:53 UTC
Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EF581A0645 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 08:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-YbBgKr8UI6 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 08:53:04 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 2A0D91A0326 for <oauth@ietf.org>; Thu, 27 Mar 2014 08:53:04 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s2RFr2Gc001275 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Thu, 27 Mar 2014 11:53:02 -0400
Received: from [10.10.61.120] (vpn-61-120.rdu2.redhat.com [10.10.61.120]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s2RFUDcT020340 for <oauth@ietf.org>; Thu, 27 Mar 2014 11:30:13 -0400
Message-ID: <53344407.1050802@redhat.com>
Date: Thu, 27 Mar 2014 11:30:15 -0400
From: Bill Burke <bburke@redhat.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/14wlRfkjMBATfbdoOrQ0zeKNka8
Subject: [OAUTH-WG] CORS and public vs. confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 15:53:06 -0000
I'm still trying to wrap my head around the differences between public and confidential clients. In our IDP impl, we check redirect uris and associate a lot of private metadata to the access code to ensure there is no client_id swapping. My understanding was that confidential clients made sure that only an authenticated client could obtain an access token. What if you throw CORS in the mix where your browser needs the access token (and the ability to refresh it) to make cross-domain requests? Doesn't this remove a large benefit of confidential clients? Anybody know a good document that describes the difference and pros/cons of public vs. confidential clients beyond the actual OAUTH spec itself? Thanks -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com
- [OAUTH-WG] CORS and public vs. confidential clien… Bill Burke
- Re: [OAUTH-WG] CORS and public vs. confidential c… Phil Hunt
- Re: [OAUTH-WG] CORS and public vs. confidential c… Prateek Mishra
- Re: [OAUTH-WG] CORS and public vs. confidential c… Bill Burke