IETF Logo Mail Archive

Re: [OAUTH-WG] Username and Password flow: no captcha?

Luke Shepard <lshepard@facebook.com> Mon, 07 June 2010 18:30 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A8B793A67AE for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 11:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.405
X-Spam-Level:
X-Spam-Status: No, score=-1.405 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDQ1DDftAxKA for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 11:30:19 -0700 (PDT)
Received: from mailout-snc1.facebook.com (mailout-snc1.facebook.com [69.63.179.25]) by core3.amsl.com (Postfix) with ESMTP id 6371D3A67C2 for <oauth@ietf.org>; Mon, 7 Jun 2010 11:30:15 -0700 (PDT)
Received: from mail.thefacebook.com ([192.168.18.198]) by pp01.snc1.tfbnw.net (8.14.3/8.14.3) with ESMTP id o57ITonx032387 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 7 Jun 2010 11:29:50 -0700
Received: from sc-hub01.TheFacebook.com (192.168.18.104) by sc-hub03.TheFacebook.com (192.168.18.198) with Microsoft SMTP Server (TLS) id 14.0.694.1; Mon, 7 Jun 2010 11:30:10 -0700
Received: from SC-MBXC1.TheFacebook.com ([192.168.18.102]) by sc-hub01.TheFacebook.com ([192.168.18.104]) with mapi; Mon, 7 Jun 2010 11:30:09 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Andrew Arnott <andrewarnott@gmail.com>
Date: Mon, 07 Jun 2010 11:30:08 -0700
Thread-Topic: [OAUTH-WG] Username and Password flow: no captcha?
Thread-Index: AcsGb3W1/y2Y74TjSNORcvTS7rXvPw==
Message-ID: <067D69D3-6E06-4B53-B9AB-A39B3DE9E957@facebook.com>
References: <AANLkTint78W8GC5Jctc0je5dsmuY-Ket2aqI00tjl-NC@mail.gmail.com> <AANLkTilXJM7rphv02DvFsmMgSdjO0twY1nVIPGwduC6m@mail.gmail.com>
In-Reply-To: <AANLkTilXJM7rphv02DvFsmMgSdjO0twY1nVIPGwduC6m@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_067D69D36E064B53B9ABA39B3DE9E957facebookcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-06-07_03:2010-02-06, 2010-06-07, 2010-06-07 signatures=0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Username and Password flow: no captcha?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 18:30:28 -0000

The username/password flow is designed to work in a situation where there is no web browser available. At least at Facebook, none of our clients implement captcha - it doesn't really make sense in many contexts.

A provider is still welcome to offer a non-standard captcha support but it shouldn't be part of the core spec.

On Jun 7, 2010, at 8:40 AM, Andrew Arnott andrewarnott@gmail.com<mailto:andrewarnott@gmail.com> wrote:

In WRAP, there was a CAPTCHA in this profile, but I don't see it in the latest OAuth 2.0 draft.  Since I've already implemented the CAPTCHA stuff from WRAP, I'll leave it there if the OAuth 2.0 is likely to pick it up, or rip it out now if OAuth 2.0 decided it wasn't necessary.

Does anyone from the WG have something they can say on the subject?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

<ATT00001..txt>

v2.23.0 | Report a Bug | By Email