Re: [OAUTH-WG] Device Flow: Alternative to Polling
William Denniss <wdenniss@google.com> Fri, 21 October 2016 22:51 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82256129453 for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.131
X-Spam-Level:
X-Spam-Status: No, score=-3.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTFt0mmeOYTF for <oauth@ietfa.amsl.com>; Fri, 21 Oct 2016 15:51:07 -0700 (PDT)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1C15126D73 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:07 -0700 (PDT)
Received: by mail-yw0-x22a.google.com with SMTP id u124so118702662ywg.3 for <oauth@ietf.org>; Fri, 21 Oct 2016 15:51:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1VhSBMxEdw63wWVtKw4FRGnUppstPjBWceZeeXwSQmc=; b=apVzZ+9ITwbBmjNiMC9aWor2/3miVSYyoHqHlrBQawodLOaJDXNSIxpWkZb7YDxm1y ksF9vmYeY5Hiw0pks+PWlTfhdoHTxn137mfrV2wjHXONV4TWuoH8AGpMea5KrXNqox/O mkF4Zkr6FawIqmkiNGZpc55fAFMhEOAuqJMhBgU6dHO2RqvhmZtnuAcgcstX8VtbC0Sb DrpzAo7VHIrplRb7UHTjTrwZjdmbaI7hzZXjhRl0k12JG1hrNJv884foN+0VVXad2Bcv DudZF8JnkfZFWBnwhX1E32adtzVR6J0ayLYFpqDMo3F8pcUvP9TlFdkzvoxrAsiUrTYF UJ9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1VhSBMxEdw63wWVtKw4FRGnUppstPjBWceZeeXwSQmc=; b=gWrXjgWnT1p3i7eBJO3o1pd2VtUKWM0jMHU1gm1dsMpR4QnjAw4A/Wm6wwujEfIi1D Zt/Rh/7SCU9peBGvIOqih5WAYVVe/NtuUKzyr726T0b7d/91q5nmtd16sojfmA9FY88D fdk6PrYh1BK/WCImTEb2QdPa1ibpQIKMXUvWoaU31p9Y/X9dA23+L2EPntmEWjPwxxaJ VifRvnq0P2V9eXPgDZ7rt+0ifmiIV3GF4WCwAx+O87P16rzFPzLrIiGhJ4SHEEu8/UEq 4zlcGobuGxsU1zGq/LfluraZvAskyGZBFVd+sQnsH5ZQ1W0001EbJW9AXIb38bIn2314 6sZQ==
X-Gm-Message-State: ABUngvddr03EI8zxupQy2yyPjindb0nq0A7X6UCXSA213kAENMe6tM7XYEMQLK4ZAnwtNRM7WjGl3lhxXJXTiswp
X-Received: by 10.13.246.2 with SMTP id g2mr543256ywf.233.1477090266756; Fri, 21 Oct 2016 15:51:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.151 with HTTP; Fri, 21 Oct 2016 15:50:46 -0700 (PDT)
In-Reply-To: <CAGBSGjoO3LiA4NZ9tKrK1KHzBY2MkbfG+XNu_1tnFAptjSnZzQ@mail.gmail.com>
References: <8b540eff-2b1c-2d9f-6d40-2be327f91eb7@gmx.net> <CAGBSGjoO3LiA4NZ9tKrK1KHzBY2MkbfG+XNu_1tnFAptjSnZzQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 21 Oct 2016 15:50:46 -0700
Message-ID: <CAAP42hC9SubNrhYeoxPUx2faW_G59yQT0Aqm1U5wRVCcb5Qxfw@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Content-Type: multipart/alternative; boundary="94eb2c035754a751e2053f67e0ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6oX-hyh0PVbI9LrDsbhHeIvPWBY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device Flow: Alternative to Polling
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 22:51:09 -0000
We've been operating with polling for a while and handle a decent amount of traffic (the YouTube TV app uses it), the polling gets the job done. The simplicity of the protocol definitely helps when used on constrained devices. I like the idea of adding HTTP/2 based long-poll as an optional enhancement, especially if we can define it in ways that don't alter the underlying protocol a whole lot. On Fri, Oct 21, 2016 at 3:35 PM, Aaron Parecki <aaron@parecki.com> wrote: > Part of the beauty of the current device flow spec is that it's so simple > to support. Keeping that simplicity is crucial especially for this, since > this flow is used by a variety of devices that often do not have higher > level stacks. > > I would love to hear from someone who has experience with large-scale > deployments of this to know whether polling is even a problem in the first > place. > > ---- > Aaron Parecki > aaronparecki.com > @aaronpk <http://twitter.com/aaronpk> > > ---- > Aaron Parecki > aaronparecki.com > @aaronpk <http://twitter.com/aaronpk> > > > On Fri, Oct 21, 2016 at 3:23 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >> Hi all, >> >> the device flow document outlines the case when an OAuth interaction >> gets "outsourced" to a separate device in order to allow user >> authentication and collecting the consent. >> >> The exchange is described in Section 1 of >> https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03. >> >> Here is the step that was raised during the discussions: >> >> (E) While the end-user authorizes (or denies) the client's request >> (D), the client repeatedly polls the authorization server to find >> out if the end-user completed the end-user authorization step. >> The client includes the verification code and its client >> identifier. >> >> The question was whether we could come up with an alternative to polling >> since this step could potentially take some time. Hence, it would be >> better if the authorization server has a way to send a message to the >> client without polling. Of course, the polling frequency matters and how >> quickly one (e.g., user) wants to know about the successful authorization. >> >> So, the first question is whether polling is considered as a problem in >> the first place. >> >> If so, then the question is how this could be addressed and (from work >> in other areas) there are really only two approaches: >> >> 1) We make use of some protocol that keeps the connection open and allow >> asynchronous communication. HTTP/2 and Websockets come to mind. >> >> 2) The client can be addressed through some push notification mechanism, >> such as by running an HTTP server on the device that can then be used by >> the authorization server. >> >> Any views about this topic? >> >> Ciao >> Hannes >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- Re: [OAUTH-WG] Device Flow: Alternative to Polling William Denniss
- [OAUTH-WG] Device Flow: Alternative to Polling Hannes Tschofenig
- Re: [OAUTH-WG] Device Flow: Alternative to Polling Aaron Parecki
- Re: [OAUTH-WG] Device Flow: Alternative to Polling Simon Moffatt
- Re: [OAUTH-WG] Device Flow: Alternative to Polling Torsten Lodderstedt