Re: [OAUTH-WG] user-agent flow needs a rewrite
Naitik Shah <n@daaku.org> Tue, 13 July 2010 21:28 UTC
Return-Path: <naitiks@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B4FC3A67FC for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 14:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HdPdrUJOdwt1 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 14:28:07 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 2CA573A67F7 for <oauth@ietf.org>; Tue, 13 Jul 2010 14:28:07 -0700 (PDT)
Received: by iwn38 with SMTP id 38so6546858iwn.31 for <oauth@ietf.org>; Tue, 13 Jul 2010 14:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type; bh=0oPMcd4XXRK8Way+Vt9ZwIwXc3c1hVytFplKiD09pDE=; b=ZuZTw+RoXU7Pvkc8MuUmelAaJlL0mXy6Vx6QRqm437BsBkkC7bvw8XPohWYl0ZL73t jB8QU7cTXPgDUCBDsxImf1h8WJbkFjqF10AG7Pss+kgMLH/lLpTFe4oHFQQW0urTLSsu kQDyas2mciP3fM4qm8F6gS1fxaP59VVTmzefw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=OT5bN1cUf2EafHVsJkyNWEq2bS7beSDitn0CMWM1mmbC8nT/q/6gHxLK8tDGPRwTmX 6cbETRPIKX55l10kXCVXDdIUf2F4iY4FkG+tH1+TNUIS6GL8wczFVm0TTYdZA5UNnkbt grRmPqb0nJ7efee9RU3FmttuOGYK5Zswlvgx8=
Received: by 10.42.1.12 with SMTP id 12mr5256565ice.78.1279056496170; Tue, 13 Jul 2010 14:28:16 -0700 (PDT)
MIME-Version: 1.0
Sender: naitiks@gmail.com
Received: by 10.231.159.193 with HTTP; Tue, 13 Jul 2010 14:27:56 -0700 (PDT)
In-Reply-To: <C862235A.371F8%eran@hueniverse.com>
References: <AANLkTimYZg_PrDn9JvjHwuVHOwZuGIPZk6affFCTPQor@mail.gmail.com> <C862235A.371F8%eran@hueniverse.com>
From: Naitik Shah <n@daaku.org>
Date: Tue, 13 Jul 2010 14:27:56 -0700
X-Google-Sender-Auth: sIKYFbFUX6kys7IgfoPojodtecU
Message-ID: <AANLkTin98uuCmGfr-X0A7JrN1LfUwKlb2RF3FYhJTDev@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="90e6ba1818821a1600048b4b8c8a"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 21:28:08 -0000
On Tue, Jul 13, 2010 at 2:06 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote: > This looks reasonable, however, I am no longer see the value in the > hybrid mode of token and code. If the code is passed in the fragment, the > client has to pass it to the server. If that is the case, why can’t the > server reply back with the access token? Is the entire purpose just a > performance optimization so the client doesn’t have to wait for the server > response before it has an access token? > > I think there are two use cases here, and they are not mutually exclusive. Some apps are mostly just server side, and would end up doing a full page refresh, and here the code in the query param would probably be acceptable. Some apps are mostly just client side, and here the code is irrelevant and the access token in the fragment is all that matters. But we also have hybrids where we want the code in a cookie/JS callback, and we'll also use the access token on the client to dynamically update the UI by accessing some protected data (this is what the Data enabled XFBML tags do in the Facebook JS SDK for instance). While the server can do the code to access_token exchange, it can't return it to the JS safely if it does not support https. Even if it did, it would mean more overhead for the developer to build an endpoint that does this work and cooperates with a JS SDK which wants the access_token for making API calls. -Naitik
- [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Luke Shepard
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite David Recordon
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Blaine Cook
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Bouiaw