Re: [OAUTH-WG] Flowchart for legs of OAuth
Phil Hunt <phil.hunt@oracle.com> Wed, 09 March 2011 21:01 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD9F13A6AD2 for <oauth@core3.amsl.com>; Wed, 9 Mar 2011 13:01:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.506
X-Spam-Level:
X-Spam-Status: No, score=-6.506 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NyPXm+3sDm2U for <oauth@core3.amsl.com>; Wed, 9 Mar 2011 13:01:01 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 3A8BB3A6943 for <oauth@ietf.org>; Wed, 9 Mar 2011 13:01:00 -0800 (PST)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id p29L2FiG010038 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 9 Mar 2011 21:02:16 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id p29EJHWO019534; Wed, 9 Mar 2011 21:02:14 GMT
Received: from abhmt019.oracle.com by acsmt354.oracle.com with ESMTP id 1073085251299704529; Wed, 09 Mar 2011 13:02:09 -0800
Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 09 Mar 2011 13:02:08 -0800
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <4D77E6F5.2060003@lodderstedt.net>
Date: Wed, 09 Mar 2011 13:02:07 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <36FA5946-EF9B-4212-ADB5-BF762EA6827A@oracle.com>
References: <22FB565B-A701-4502-818F-15164D9E201A@oracle.com> <4D77E6F5.2060003@lodderstedt.net>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1082)
X-Source-IP: acsmt355.oracle.com [141.146.40.155]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A0B0209.4D77EAD7.000C,ss=1,fgs=0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2011 21:01:01 -0000
Torsten, Thanks! Yes...I kind of omitted some of the flow decisions to keep the diagram simpler. I also note that there has been quite a lot of discussion on the pre-ambles to Implicit grant, etc. That said, I'm not sure I like binding application type (web app, javascript app) to a particular flow. Some have said that the spec shouldn't deal in best-practices (what flow should be used by specific client types) as much as just focusing on the normative requirements for each flow type. It seems conceivable to me that people will come up with new scenarios that don't fit the current definitions and the spec will 'break'. With that in mind, the only real difference I saw between 4.1 and 4.2 was one had client auth and an extra step, and while implicit did 2 steps at once with only user authentication as a requirement. Though this has been discussed on another thread and I'll probably update once a decision is made (draft 14?). Phil phil.hunt@oracle.com On 2011-03-09, at 12:45 PM, Torsten Lodderstedt wrote: > Hi Phil, > > that's great help for anyone looking for advice how to use OAuth. > > One remark: In my opinion, the decision process for authorization code vs. implicit grant involves more parameters. > > refresh token required? --> authz code > client in question is a web application? --> authz code > client in question is a JavaScript app? --> implicit grant > client authentication required --> authz code > else --> implicit grant > > regards, > Torsten. > > Am 22.02.2011 01:45, schrieb Phil Hunt: >> FYI. I published a blog post with a flow-chart explaining the legs of OAuth. >> http://independentidentity.blogspot.com/2011/02/does-oauth-have-legs.html >> >> Please let me know if any corrections should be made, or for that matter, any improvements! >> >> Phil >> phil.hunt@oracle.com >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anthony Nadalin
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth David Primmer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Eran Hammer-Lahav
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anil Saldhana
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Kris Selden
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Kris Selden
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anthony Nadalin
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth torsten
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Chuck Mortimore
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth torsten
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt