[OAUTH-WG] Confusion on Implicit Grant flow

Adam Lewis <Adam.Lewis@motorolasolutions.com> Fri, 06 February 2015 21:27 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FB731A6EFE for <oauth@ietfa.amsl.com>; Fri, 6 Feb 2015 13:27:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.566
X-Spam-Level:
X-Spam-Status: No, score=-1.566 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i0xz1GQjrHWP for <oauth@ietfa.amsl.com>; Fri, 6 Feb 2015 13:27:40 -0800 (PST)
Received: from mx0a-0019e102.pphosted.com (mx0a-0019e102.pphosted.com [67.231.149.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF9F51A0155 for <oauth@ietf.org>; Fri, 6 Feb 2015 13:27:39 -0800 (PST)
Received: from pps.filterd (m0074408.ppops.net [127.0.0.1]) by mx0a-0019e102.pphosted.com (8.14.7/8.14.7) with SMTP id t16LPIvC025538 for <oauth@ietf.org>; Fri, 6 Feb 2015 15:27:38 -0600
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0210.outbound.protection.outlook.com [207.46.163.210]) by mx0a-0019e102.pphosted.com with ESMTP id 1sd48rg2xq-1 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NOT) for <oauth@ietf.org>; Fri, 06 Feb 2015 15:27:38 -0600
Received: from BLUPR04MB691.namprd04.prod.outlook.com (10.141.205.149) by BLUPR04MB691.namprd04.prod.outlook.com (10.141.205.149) with Microsoft SMTP Server (TLS) id 15.1.75.20; Fri, 6 Feb 2015 21:27:36 +0000
Received: from BLUPR04MB691.namprd04.prod.outlook.com ([10.141.205.149]) by BLUPR04MB691.namprd04.prod.outlook.com ([10.141.205.149]) with mapi id 15.01.0075.002; Fri, 6 Feb 2015 21:27:36 +0000
From: Adam Lewis <Adam.Lewis@motorolasolutions.com>
To: OAuth WG <oauth@ietf.org>
Thread-Topic: Confusion on Implicit Grant flow
Thread-Index: AdBCU7lczcAZFshKSMOM30KEynNz8A==
Date: Fri, 6 Feb 2015 21:27:35 +0000
Message-ID: <BLUPR04MB6918C7701D0DB90B0FA6B0D95380@BLUPR04MB691.namprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [75.149.88.198]
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR04MB691;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BLUPR04MB691;
x-forefront-prvs: 047999FF16
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(15975445007)(62966003)(450100001)(102836002)(40100003)(2900100001)(77096005)(74316001)(122556002)(16236675004)(76576001)(54356999)(229853001)(110136001)(77156002)(18717965001)(46102003)(33656002)(19625215002)(19609705001)(107886001)(66066001)(86362001)(19580395003)(99286002)(2656002)(50986999)(87936001)(92566002)(19300405004); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR04MB691; H:BLUPR04MB691.namprd04.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_BLUPR04MB6918C7701D0DB90B0FA6B0D95380BLUPR04MB691namprd_"
MIME-Version: 1.0
X-OriginatorOrg: motorolasolutions.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2015 21:27:36.0440 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 93f5baf9-414a-4f1b-88bc-33f3013923d7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR04MB691
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=7.97038224309432e-08 kscore.compositescore=0 circleOfTrustscore=0 compositescore=0.99939988688917 urlsuspect_oldscore=0.99939988688917 suspectscore=0 recipient_domain_to_sender_totalscore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=0 rbsscore=0.99939988688917 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1502060218
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/DDGjGNchBqmuKfbeKwDI4abPJyY>
Subject: [OAUTH-WG] Confusion on Implicit Grant flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2015 21:27:42 -0000

Hi,

Having spent most of my time with native apps and web apps, I now am looking at use cases where I need to implement a user-agent-based app.  The Implicit flow seems to be optimized for this.

To test my understanding, this flow is for a JavaScript client (or similar) executing within a web browser.

At step (a) the client directs the UA to the authorization server, but the authorization server redirects the UA to a web-hosted client resource.  Why?  It says so that the web-hosted client resources can push javascript (or other) back into the UA so it can extract the access token in the fragment; but some sort of javascript is already running in the browser, since it initiated the authorization request in the first place.  So why this extra step?  Why not treat the javascript client running in the UA like a native app and handle the redirect uri?

I know this was well thought out when the spec was written, so trying to figure out what I'm missing?



Tx!
adam