Re: [OAUTH-WG] Draft -07 (major rewrite)

[Eran Hammer-Lahav <eran@hueniverse.com>]

> -----Original Message-----
> From: Brian Eaton [mailto:beaton@google.com]
> Sent: Monday, June 14, 2010 11:23 AM
> To: Eran Hammer-Lahav
> Cc: Andrew Arnott; OAuth WG (oauth@ietf.org)
> Subject: Re: [OAUTH-WG] Draft -07 (major rewrite)
> 
> On Mon, Jun 14, 2010 at 9:18 AM, Eran Hammer-Lahav
> <eran@hueniverse.com> wrote:
> > Adding a verification code to the user-agent flow was suggested on
> > this list and received nothing but support. It was suggested as a
> > solution to a Twitter use case. Once that is added in, the two flows
> > only differ in how the response is delivered and the presence of an
> > access token in the response (which currently is a MUST NOT for
> > web-server but I don't know if this restriction is need).
> 
> Yeah, this matters.  If you return an access token on the web-server flow,
> several things break:
> - you can no longer rely on the client secret to authenticate the callback URL.
> - you lose all hope of getting to LOA 2 with this protocol, because the access
> token is visible to the client.
> - you lose the clarity of how the web server flow is supposed to work.

Ok. No change needed.
 
> Bike-shed painting:
> 
> The use-cases for web server and user-agent flow are also different.
> I'd prefer to have the spec call out different profiles for different use-cases,
> because it makes it much easier to figure out what a given application should
> be doing.
> 
> During the WRAP work I argued that we didn't need a type parameter, and
> after looking at WRAP implementations I've changed my mind.
> Please leave it in.

Which one? The type on the end-user authorization endpoint (user_agent and web_server) or the type on the token endpoint?

EHL