Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt
Justin Hart <onyxraven+jhart@gmail.com> Wed, 11 March 2009 04:15 UTC
Return-Path: <onyxraven@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 186BA3A689A for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 21:15:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.601
X-Spam-Level: *
X-Spam-Status: No, score=1.601 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_IS_IT_OUR_ACCOUNT=4.2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9+cIOaj1WIU for <oauth@core3.amsl.com>; Tue, 10 Mar 2009 21:15:47 -0700 (PDT)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by core3.amsl.com (Postfix) with ESMTP id 1C4B93A685D for <oauth@ietf.org>; Tue, 10 Mar 2009 21:15:46 -0700 (PDT)
Received: by yw-out-2324.google.com with SMTP id 5so466119ywh.49 for <oauth@ietf.org>; Tue, 10 Mar 2009 21:16:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=ymkQrEluVnNzB8G0Mup9g/VMd0yAh0Ac+F2dl7FA9N0=; b=j3eojLZfU4sRjqVvgQs5omWcOE172+Zb4exJzDfAaMsrFxPG/2j/+6S6YWSmaNxwcR JROEdNZZoaL/CdJqlWFF5khaoTSARhyTsDjeMGdDoGytcuvpXaGT7WxkbsBSxujb/n1j vzR87X1sPUxmfNiIrNmzjBDOG85AK6BMqyEBI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=cEgwhDKtozR0sWlUqqmwqdGFVrLiJio6ZrkgfkaNfBfWik1tDBKIhIeawtHKs7P9O4 yI4AW0Sdqo6OmFBh06A3JIgzXtT3kjjPxJ1g6DPTJjQ7/etKDy/uJxP7ses1X4v5HzlJ cu9L4o64racAK6eVk+tEqZ/8EKT1bazkuVFBg=
MIME-Version: 1.0
Sender: onyxraven@gmail.com
Received: by 10.150.51.6 with SMTP id y6mr14298099yby.129.1236744982509; Tue, 10 Mar 2009 21:16:22 -0700 (PDT)
In-Reply-To: <c5eeec030903102102hdbbe273n42923b48ab131d47@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <49B63954.5080105@cs.tcd.ie> <49B68DE1.5090504@aol.com> <c5eeec030903102102hdbbe273n42923b48ab131d47@mail.gmail.com>
Date: Tue, 10 Mar 2009 22:16:22 -0600
X-Google-Sender-Auth: 038a68c3ecf62541
Message-ID: <c5eeec030903102116l4291a41an30f2840d396cc8e9@mail.gmail.com>
From: Justin Hart <onyxraven+jhart@gmail.com>
To: George Fletcher <gffletch@aol.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [oauth] FW: I-D Action:draft-dehora-farrell-oauth-accesstoken-creds-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2009 04:15:48 -0000
Sorry, I should use my real-name identity for the list here. Anyway, I realize that what I describe below is sort of the compliment of the 'Valet key' and similar to the approval-queue as described in the blog post below. If I'm not missing any pieces, I think its a fully viable alternative. I'm looking to implement at least one of these methods as a non-login-based alternative to the web redirects (avoiding direct auth) for devices for Photobucket. I sort of like the 'activation key' method, as below, myself. On Tue, Mar 10, 2009 at 10:02 PM, Onyx Raven <onyxraven@gmail.com> wrote: > IIRC, when I was first implementing OAuth SP a year ago, there were > some example use cases where the Consumer/UserAgent could request the > temporary token, and present it to the user to enter on a different > channel. I am reminded that this is essentially the way Netflix > device activation works. You get the activation key, and then on your > PC, you login to your account on the provider and enter the key. That > signs the request, and back on the device, it either waits for a > button-press to attempt to proceed, or auto-checks the key to see if > it's signed. The device can then complete the oauth access token > procedure. This seems to be a convenient way of obtaining an access > token, which is fully supported by the current OAuth Core spec if > implemented properly. I know that's not the direct intention of the > spec in the subject, but it is an alternative. > > On Tue, Mar 10, 2009 at 9:57 AM, George Fletcher <gffletch@aol.com> wrote: >> >> Stephen Farrell wrote: >>> >>> Eran Hammer-Lahav wrote: >>>> >>>> More ideas in >>>> http://www.hueniverse.com/hueniverse/2009/02/beyond-the-oauth-web-redirection-flow.html
- [oauth] FW: I-D Action:draft-dehora-farrell-oauth… Eran Hammer-Lahav
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Stephen Farrell
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… George Fletcher
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Onyx Raven
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Justin Hart
- Re: [oauth] FW: I-D Action:draft-dehora-farrell-o… Eran Hammer-Lahav