[OAUTH-WG] FW: draft-ietf-oauth-v2: Doubt about chapter 4.2
Eran Hammer-Lahav <eran@hueniverse.com> Sat, 07 January 2012 07:00 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE0FE21F8493 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 23:00:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level:
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPbajdTWb4E9 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 23:00:19 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 757C621F848F for <oauth@ietf.org>; Fri, 6 Jan 2012 23:00:19 -0800 (PST)
Received: (qmail 18946 invoked from network); 7 Jan 2012 07:00:19 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.47) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 7 Jan 2012 07:00:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Sat, 7 Jan 2012 00:00:17 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Sat, 07 Jan 2012 00:00:05 -0700
Thread-Topic: draft-ietf-oauth-v2: Doubt about chapter 4.2
Thread-Index: AczNCcrvh91EGUT+SiKWZiGBaG8kvQ==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453A72D0C2C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453A72D0C2CP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: DIEGO GONZALEZ MARTINEZ <diegog@tid.es>
Subject: [OAUTH-WG] FW: draft-ietf-oauth-v2: Doubt about chapter 4.2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2012 07:00:21 -0000
Sending to the right place. EHL From: DIEGO GONZALEZ MARTINEZ [mailto:diegog@tid.es] Sent: Friday, October 07, 2011 1:35 AM To: draft-ietf-oauth-v2@tools.ietf.org Subject: draft-ietf-oauth-v2: Doubt about chapter 4.2 Hello, My name is Diego González, I work in Telefónica R&D and I'm following OAuth 2.0 works as we're using OAuth in Telefónica's APIs exposure programs (e.g.: BlueVia). I as well participate in OMA activities for using OAuth to access OMA standard APIs. I'm Reading through OAuth 2.0 draft and I have a doubt. In chapter 4.2.1 for Implicit Grant I can see the following example: GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com Then in chapter 4.2.2 I see the following example: HTTP/1.1 302 Found Location: http://example.com/rd#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600 The first I thought is that this is just a misalignment within examples and second example should look like https://client.example.com/cb. Is it? But then I got the following doubt. Would it make sense for every Client to be redirected to a known web hosted by the resource provider? I mean a set of clients trying to gain access to a Resource, and being always redirected to the same web-hosted resource offered by resource provider, not to the web-client hosted resource. E.g.: redirect every client using Implicit Grant to https://server.com/accessTokenScriptisHereforEveryOne, no matter what the redirect_uri was. Do you think this make sense? Or there are some security problems I am not taking into account. Kind regards, Diego Diego González Martínez Telefónica Investigación y Desarrollo Iniciativa NeoSDP e-mail: diegog@tid.es<mailto:diegog@tid.es> Phone: +34 983 36 75 97 ________________________________ Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo. This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at. http://www.tid.es/ES/PAGINAS/disclaimer.aspx
- [OAUTH-WG] FW: draft-ietf-oauth-v2: Doubt about c… Eran Hammer-Lahav