Re: [OAUTH-WG] [WRAP] WRAP in GSMA OneAPI

[Kevin Smith <mrkrcsmith@googlemail.com>]

Hi David, Blaine,

We (the OneAPI group) have been looking further into OAUTH 2.0 and would
like to see how it can work in a mobile network scenario: for example, a
desktop Web application wants to locate a mobile user to plot their location
on a map. So the client is the Web application and the server is an HTTP
platform sitting on top of the mobile core network.

 It seems that the Web application could register a client ID and client
secret with the OneAPI-implementing server. When location is requested by
this client, the server would prompt the user, and if permission were
received, would enable the client to access the location via an access
token/secret.

One difference to the regular OAUTH flow is that  'post-pay' contract
network subscribers would not have to enter a username/password to identify
themselves since they would be implicitly identified on the network anyway;
they would just need to confirm authorisation ('Allow/Block'). We are not
sure how to handle pre-pay users that buy phone credits in advance.

In case either of you (or any other OAUTH expert) would be available to lead
a discussion on the technology, and to answer questions from mobile
operators and platform vendors, we are having a meeting next Tuesday in
London. The meeting is also accessible over Webex. Please let me know if you
would be willing to do so, as I'm sure it will help kick-start our
implementation work.

Cheers!
Kevin

On Thu, May 6, 2010 at 6:13 AM, David Recordon <recordond@gmail.com> wrote:

> +OAuth IETF list
> -WRAP list to BCC
>
> Hi Kevin,
> OAuth 2.0 should be pretty simple for you to implement and any feedback
> your team has would be really appreciated! There are already implementations
> in Cocoa, Python, and Ruby list on the wiki at
> http://wiki.oauth.net/OAuth-2.0 and you find find the spec at
> http://tools.ietf.org/html/draft-hammer-oauth2-00.
>
> You may also be interested in the mobile web implementation we've built at
> Facebook. http://developers.facebook.com/docs/guides/mobile/
>
> I'm also cc'ing Blaine Cook who lives in Ireland and might be able to
> present.
>
> Cheers,
> --David
>
>
> On Tue, May 4, 2010 at 4:20 AM, Kevin Smith, Vodafone <
> mrkrcsmith@googlemail.com> wrote:
>
>> Dear OAUTH WRAP group,
>>
>> My name is Kevin Smith of Vodafone R&D, and I lead a cross-mobile
>> operator project called OneAPI ('Open Network Enablers') [1]. The aim
>> is to provide a RESTful API to expose network functions such as
>> location, messaging, payments and more to developers; with the
>> reckoning that this will make it far easier to mash-up Web
>> applications with network capabilities and reduce the time to reach
>> all mobile subscribers in a territory. Thus far we have a live pilot
>> implementation across the 3 major Canadian operators [2] and a non-
>> commercial test site connected to
>> 12 European operators [3], and will be releasing v1.0 specifications
>> backed by the OMA this month.
>>
>> For the first release we did not attempt to prescribe an AAA model to
>> operators, instead leaving them to reuse their own SDP AAA
>> implementation for OneAPI. For our second phase now underway we would
>> like to provide a recommended reference implementation AAA model for
>> operators who are unsure how to allow secure API access whilst
>> allowing user consent and privacy to be respected. Therefore we have
>> discussed OAUTH as an ideal candidate that will be well-known to Web
>> developers.
>>
>> My question regards the suitability of WRAP for such a reference
>> implementation: the decoupling of authentication is good sense and
>> would be welcome by operators, however it appears that WRAP is
>> deprecated and is intended to be replaced by OAUTH 2.0 - is that
>> right?  Please could you provide any details on the plans for if/how
>> the two will interoperate? If it's at all possible, we would very much
>> welcome a member of the group to present on WRAP at one of our face-to-
>> face meetings in London - if that is of interest please let me know
>> and I can make arrangements.
>>
>> Thanks for your time and look forward to your advice.
>>
>> Kind regards,
>> Kevin
>>
>> [1] http://www.gsmworld.com/oneapi
>> [2] http://canada.oneapi.gsmworld.com/
>> [3] http://oneapi.aepona.com/
>>
>> Kevin Smith
>> Senior Technology Strategist, R&D
>> Vodafone Technology
>>
>> E-mail: kevin.smith@vodafone.com
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "OAuth WRAP WG" group.
>> To post to this group, send email to oauth-wrap-wg@googlegroups.com.
>> To unsubscribe from this group, send email to
>> oauth-wrap-wg+unsubscribe@googlegroups.com<oauth-wrap-wg%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/oauth-wrap-wg?hl=en.
>>
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "OAuth WRAP WG" group.
> To post to this group, send email to oauth-wrap-wg@googlegroups.com.
> To unsubscribe from this group, send email to
> oauth-wrap-wg+unsubscribe@googlegroups.com<oauth-wrap-wg%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/oauth-wrap-wg?hl=en.
>