Re: [OAUTH-WG] Native Client Extension
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 04 January 2011 22:21 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7ED043A6C32 for <oauth@core3.amsl.com>; Tue, 4 Jan 2011 14:21:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.228
X-Spam-Level:
X-Spam-Status: No, score=-2.228 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JphIaTU+Gvd2 for <oauth@core3.amsl.com>; Tue, 4 Jan 2011 14:21:06 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.43]) by core3.amsl.com (Postfix) with ESMTP id 250A33A6C1B for <oauth@ietf.org>; Tue, 4 Jan 2011 14:21:05 -0800 (PST)
Received: from [79.253.38.144] (helo=[192.168.71.49]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1PaFHc-0000oS-3U; Tue, 04 Jan 2011 23:23:12 +0100
Message-ID: <4D239DCF.4030501@lodderstedt.net>
Date: Tue, 04 Jan 2011 23:23:11 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <AANLkTi=YWLHV1Yi0bdKTaDaBw3X5D6Y_kk3xt7EvJHe_@mail.gmail.com>
In-Reply-To: <AANLkTi=YWLHV1Yi0bdKTaDaBw3X5D6Y_kk3xt7EvJHe_@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Native Client Extension
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2011 22:21:07 -0000
+1 I have asked myself all the time why "oob" disappeared in OAuth 2.0? Does Google use this feature? regards, Torsten. Am 29.12.2010 23:53, schrieb Marius Scurtescu: > I would like to propose an OAuth 2 extension that helps native clients > close the loop after the approval page. The extension defines a > special value for the redirect URI for the case when the client does > not have such a URI and it also defines that the authorization server > should provide a default result page for this case and how to format > the result on this page. > > If a native client does not have a redirect URI then the client can > specify the special value "oob" for that parameter. > > redirect_uri=oob signals to the authorization server that it should > use a default result page to show the final result. > > In this case the authorization server cannot redirect any kind of > messages back to the client, not even error responses. > > The default result page should show the authorization code (code) and > instruct the user to copy to native application. > > The default result page should also show both the authorization code > and the passed through client state (state) in the page title, the two > parameters should be form-encoded and appear space separated at the > end of the normal title > > Example page title: > <title>Success code=123456&state=qwerty</title> > > Browsers will truncate the title at some browser and OS dependent > length. Ideally the whole title should be shorter than 100 characters. > The Authorization Server should use a short title prefix and it should > make the authorization codes as short as possible. Native clients > should try to pass very short state strings and only of really needed. > > If the user denies, or there are other errors, the default page should > similarly display the error code and also put the error message in the > title: > <title>Denied error=access_denied&state=qwerty</title> > > References: > * Section 6.3.3.2 of draft-hardt-oauth-wrap-01 > > > If there is interest and rough consensus then I can create a formal > version of this extension. > > > Thanks, > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Torsten Lodderstedt
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Richer, Justin P.
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu