Re: [OAUTH-WG] OAuth 2 for Native Apps
Marius Scurtescu <mscurtescu@google.com> Mon, 28 June 2010 18:11 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9EC5B3A6949 for <oauth@core3.amsl.com>; Mon, 28 Jun 2010 11:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.616
X-Spam-Level:
X-Spam-Status: No, score=-100.616 tagged_above=-999 required=5 tests=[AWL=-0.498, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RwtG5ySIr+tN for <oauth@core3.amsl.com>; Mon, 28 Jun 2010 11:11:38 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id DDD103A6943 for <oauth@ietf.org>; Mon, 28 Jun 2010 11:11:37 -0700 (PDT)
Received: from wpaz13.hot.corp.google.com (wpaz13.hot.corp.google.com [172.24.198.77]) by smtp-out.google.com with ESMTP id o5SIBkW5022666 for <oauth@ietf.org>; Mon, 28 Jun 2010 11:11:46 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1277748706; bh=tffYm7OoTwDE7lndE0B4woEBAKE=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=VD7eZLlEaA38m6ja6B5Z3n47Ac/dWQKOwhMV7ji3913w/MQNE/cxwdUWXp3DUwlfW aEXjsBOqgFsGO9JNyMbZw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=Llvith2ZdpWL6vvv6dpfd8A5Cd+9X7AfqSY0xQsk+TihW9ayCQyltj+/bsNd424RJ YZqrvIaeiqwcWXg0IQIRg==
Received: from gwaa12 (gwaa12.prod.google.com [10.200.27.12]) by wpaz13.hot.corp.google.com with ESMTP id o5SIAd9h005257 for <oauth@ietf.org>; Mon, 28 Jun 2010 11:11:45 -0700
Received: by gwaa12 with SMTP id a12so2045997gwa.34 for <oauth@ietf.org>; Mon, 28 Jun 2010 11:11:45 -0700 (PDT)
Received: by 10.101.151.26 with SMTP id d26mr6967610ano.190.1277748704301; Mon, 28 Jun 2010 11:11:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.132.22 with HTTP; Mon, 28 Jun 2010 11:11:24 -0700 (PDT)
In-Reply-To: <4C259112.2040901@lodderstedt.net>
References: <AANLkTil1BK4e6o6XSztS31Y-RhXgn01MByP7EBP9twwl@mail.gmail.com> <AANLkTinYLwvJy5T5ZRRpSWj48TvSBzcno93mkDyI63Fi@mail.gmail.com> <AANLkTimOWWZ_fc9KUzS6ZJxvDc_RfL-hoWOVxo-azELU@mail.gmail.com> <4C259112.2040901@lodderstedt.net>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 28 Jun 2010 11:11:24 -0700
Message-ID: <AANLkTikbPNugfdxVGthe7qVrxPTpDoya_b_v42M8wrdk@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2010 18:11:39 -0000
On Fri, Jun 25, 2010 at 10:33 PM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > comment/question regarding the Embedded Browser scenario: Is the URL bar and > SSL verification symbols (lock + green bar) visible in that scenario? > Otherwise, the user has no chance to verify the identity of the IDP/OAuth > server. So there might be problems regarding password phishing . AFAIK the URL bar is not visible. Who would phish the end user? If it is the native app, then all bets are off regardless, the native app can show a fake address bar if it really wants. Marius > > regards, > Torsten. > > Am 22.06.2010 02:54, schrieb Marius Scurtescu: >> >> Here is the wiki page: http://wiki.oauth.net/OAuth-2-for-Native-Apps >> >> Feel free to edit or comment. >> >> Marius >> >> >> >> On Wed, Jun 9, 2010 at 10:59 AM, David Recordon<recordond@gmail.com> >> wrote: >> >>> >>> Want to put this on the wiki http://wiki.oauth.net/? >>> >>> >>> On Mon, Jun 7, 2010 at 12:25 PM, Marius Scurtescu<mscurtescu@google.com> >>> wrote: >>> >>>> >>>> Hi, >>>> >>>> I attached a document that summaries how native applications can use >>>> OAuth 2. >>>> >>>> Feedback more than welcome, especially if you have experience with >>>> native apps and OAuth. >>>> >>>> The current Web Server and Device flows need small changes and >>>> clarifications in order to properly support native apps, I will start >>>> a separate thread on that. >>>> >>>> Marius >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>> >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > >
- [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps David Recordon
- Re: [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps Torsten Lodderstedt