IETF Logo Mail Archive

[OAUTH-WG] FW: draft-ietf-oauth-v2: Doubt about chapter 4.2

Eran Hammer-Lahav <eran@hueniverse.com> Sat, 07 January 2012 07:00 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE0FE21F8493 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 23:00:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level:
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPbajdTWb4E9 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 23:00:19 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 757C621F848F for <oauth@ietf.org>; Fri, 6 Jan 2012 23:00:19 -0800 (PST)
Received: (qmail 18946 invoked from network); 7 Jan 2012 07:00:19 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 7 Jan 2012 07:00:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Sat, 7 Jan 2012 00:00:17 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Sat, 07 Jan 2012 00:00:05 -0700
Thread-Topic: draft-ietf-oauth-v2: Doubt about chapter 4.2
Thread-Index: AczNCcrvh91EGUT+SiKWZiGBaG8kvQ==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453A72D0C2C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453A72D0C2CP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: DIEGO GONZALEZ MARTINEZ <diegog@tid.es>
Subject: [OAUTH-WG] FW: draft-ietf-oauth-v2: Doubt about chapter 4.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2012 07:00:21 -0000

Sending to the right place.

EHL


From: DIEGO GONZALEZ MARTINEZ [mailto:diegog@tid.es]
Sent: Friday, October 07, 2011 1:35 AM
To: draft-ietf-oauth-v2@tools.ietf.org
Subject: draft-ietf-oauth-v2: Doubt about chapter 4.2

Hello,
My name is Diego González, I work in Telefónica R&D and I'm following OAuth 2.0 works as we're using OAuth in Telefónica's APIs exposure programs (e.g.: BlueVia). I as well participate in OMA activities for using OAuth to access OMA standard APIs.
I'm Reading through OAuth 2.0 draft and I have a doubt.

In chapter 4.2.1 for Implicit Grant I can see the following example:
GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz
        &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
    Host: server.example.com

Then in chapter 4.2.2 I see the following example:

HTTP/1.1 302 Found

     Location: http://example.com/rd#access_token=2YotnFZFEjr1zCsicMWpAA

               &state=xyz&token_type=example&expires_in=3600


The first I thought is that this is just a misalignment within examples and second example should look like https://client.example.com/cb. Is it?

But then I got the following doubt. Would it make sense for every Client to be redirected to a known web hosted by the resource provider? I mean a set of clients trying to gain access to a Resource, and being always redirected to the same web-hosted resource offered by resource provider, not to the web-client hosted resource.
E.g.: redirect every client using Implicit Grant to https://server.com/accessTokenScriptisHereforEveryOne, no matter what the redirect_uri was.
Do you think this make sense? Or there are some security problems I am not taking into account.

Kind regards,
    Diego



Diego González Martínez
Telefónica Investigación y Desarrollo
Iniciativa NeoSDP
e-mail: diegog@tid.es<mailto:diegog@tid.es>
Phone: +34 983 36 75 97


________________________________
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at.
http://www.tid.es/ES/PAGINAS/disclaimer.aspx

v2.23.0 | Report a Bug | By Email