IETF Logo Mail Archive

Re: [OAUTH-WG] Flowchart for legs of OAuth

Phil Hunt <phil.hunt@oracle.com> Mon, 04 April 2011 20:57 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 83C9C3A67B7 for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 13:57:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.539
X-Spam-Level:
X-Spam-Status: No, score=-6.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EouykKkAYd4P for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 13:57:36 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 985803A67EE for <oauth@ietf.org>; Mon, 4 Apr 2011 13:57:36 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id p34KxGg9011757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 4 Apr 2011 20:59:18 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id p34KxFPL024993 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 4 Apr 2011 20:59:16 GMT
Received: from abhmt020.oracle.com (abhmt020.oracle.com [141.146.116.29]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p34KxF78009186; Mon, 4 Apr 2011 15:59:15 -0500
Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 04 Apr 2011 13:59:15 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <1301947797.31750.53.camel@ground>
Date: Mon, 04 Apr 2011 13:59:13 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <EA481D30-1614-4A80-A4BB-4E4B599CF1C9@oracle.com>
References: <22FB565B-A701-4502-818F-15164D9E201A@oracle.com> <AANLkTimGjiCGk5dpA=YVzq5vDkLR2+caSz=pZ5WiZO9H@mail.gmail.com> <3C84AD7A-F00F-43EC-AAD3-AD2DCFB46B0E@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4D84F7E2.6090305@redhat.com> <16B9A882-6204-4CBD-B7E3-1D806AF5056C@oracle.com> <4D8A5054.4050006@lodderstedt.net> <BANLkTiniuuRXtkzLubgOjVursVtOGjFe6A@mail.gmail.com> <7616C235-2913-4EE0-A710-F47A4CC9E424@oracle.com> <BANLkTi=XyF25vB6qKX2q8iOpEaZ1yQx9Jw@mail.gmail.com> <65E3F250-5111-4692-BFA7-F5B838E9B41D@gmail.com> <BANLkTik5u5+jjTwnwNCQVyzMux4aMB98yg@mail.gmail.com> <DB132E2B-D363-46D3-8E7F-E5AD1BF8081E@kiva.org> <1301947797.31750.53.camel@ground>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1084)
X-Source-IP: acsmt356.oracle.com [141.146.40.156]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090207.4D9A3124.0096:SCFSTAT5015188,ss=1,fgs=0
Cc: Kris Selden <kris.selden@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 20:57:37 -0000

Does section 3.2 help you?
"In addition, the authorization server MAY allow unauthenticated access token requests when the client identity does not matter (e.g. anonymous client) or when the client identity is established via other means."

Phil
phil.hunt@oracle.com




On 2011-04-04, at 1:09 PM, Justin Richer wrote:

> Agreed - we are planning to use the auth-code flow for native apps and
> have no immediate plans to use implicit mode for native clients, either.
> We'd be using the auth-code flow with a client id only and no client
> secret, which I think is the pattern that everyone else is planning to
> follow.
> 
> -- justin
> 
> On Mon, 2011-04-04 at 14:54 -0400, Skylar Woodward wrote:
>> I agree with Marius' points. We plan to support the auth-code flow for native apps as well.  There is no reason why native apps can't perform a successful auth-code flow, they just do so without client credentials.  However, the spec doesn't make it clear that this is viable option.
>> 
>> skylar
>> 
>> 
>> On Apr 4, 2011, at 2:29 PM, Marius Scurtescu wrote:
>> 
>>> On Mon, Apr 4, 2011 at 10:47 AM, Kris Selden <kris.selden@gmail.com> wrote:
>>>> A typical iPhone app cannot be shipped with a client secret and rightly or wrongly users expect to only have to enter their credentials once.
>>>> 
>>>> What is the best profile to use for an app that can't have a client secret and needs a refresh token or a long lived access token?
>>> 
>>> The authorization code grant, aka web server flow.
>>> 
>>> The spec is misleading in this respect IMO.
>>> 
>>> Marius
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email