Re: [OAUTH-WG] User-Agent flow and refresh tokens

Luke Shepard <lshepard@facebook.com> Mon, 20 September 2010 05:34 UTC

Return-Path: <lshepard@facebook.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 986393A67F0 for <oauth@core3.amsl.com>; Sun, 19 Sep 2010 22:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.198
X-Spam-Level:
X-Spam-Status: No, score=-102.198 tagged_above=-999 required=5 tests=[AWL=0.203, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pANVmpiO2qtJ for <oauth@core3.amsl.com>; Sun, 19 Sep 2010 22:34:22 -0700 (PDT)
Received: from mx-out.facebook.com (outmail006.snc1.tfbnw.net [69.63.178.165]) by core3.amsl.com (Postfix) with ESMTP id 22DDA3A687C for <oauth@ietf.org>; Sun, 19 Sep 2010 22:34:20 -0700 (PDT)
Received: from [10.18.255.124] ([10.18.255.124:2144] helo=mail.thefacebook.com) by mta025.snc1.facebook.com (envelope-from <lshepard@facebook.com>) (ecelerity 2.2.2.45 r(34067)) with ESMTP id F3/A6-03661-172F69C4; Sun, 19 Sep 2010 22:34:41 -0700
Received: from SC-MBX05.TheFacebook.com ([169.254.4.4]) by sc-hub03.TheFacebook.com ([fe80::1cfe:1f6b:8b35:cf7f%11]) with mapi; Sun, 19 Sep 2010 22:34:40 -0700
From: Luke Shepard <lshepard@facebook.com>
To: Marius Scurtescu <mscurtescu@google.com>
Thread-Topic: [OAUTH-WG] User-Agent flow and refresh tokens
Thread-Index: AQHLVR+bvvdw/QiTeUGpnCr4qiGubJMUFMyAgABbvYCAAB2OAIAArqWAgAAxMoCAAAnwgIAEYUcAgABOJ4CAAK7VAA==
Date: Mon, 20 Sep 2010 05:34:38 +0000
Message-ID: <37E6A7D2-000F-40A1-87A7-0C419C406A6E@facebook.com>
References: <4C913EE3.90704@lodderstedt.net> <AANLkTikJGDUKCfiPiN_rAVXmbPF0SBN_sKNQFHw6-oqj@mail.gmail.com> <AANLkTime0dayBq1k+ee7xNp3pkBE2-Ltn-i=LNh0-XvB@mail.gmail.com> <0B18D334-441B-48C0-8836-8F285404B53F@lodderstedt.net> <AANLkTimL1TL57iJ5MOJTcEmog5e-9vjZNCOAyKLS4Dt1@mail.gmail.com> <6A068F15-5B15-444E-AAC3-354EFB866A4A@lodderstedt.net> <AANLkTi=KpHx0+k+Lu=0ykDVYUpvd2cWmbBFMeRMwp2uj@mail.gmail.com> <4C961E36.1090506@lodderstedt.net> <AANLkTinpgRLXVy4r8w2OSLrh=usnHwXqCG_=P-JDjHbK@mail.gmail.com>
In-Reply-To: <AANLkTinpgRLXVy4r8w2OSLrh=usnHwXqCG_=P-JDjHbK@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2dbfdefb-d9cd-4af5-89ac-ab8075018a7d>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-Agent flow and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Sep 2010 05:34:47 -0000

> 
>> Luke Shepard also indicated in his posting
>> http://www.ietf.org/mail-archive/web/oauth/current/msg03509.html that
>> facebook supports the user agent flow for desktop applications. Facebook's
>> iOS SDK seems to use the same technique for mobile apps.
> 
> Yes, Facebook is recommending the User-Agent flow for desktop
> applications. This works for them because access tokens issued by
> Facebook are not short lived, I don't think they expire. The desktop
> app does not need a refresh token.
> 
> If the authz server is issuing short lived access tokens and also
> refresh tokens then the user-agent profile does not work so well
> anymore. As far as I can tell in this case there is no reason to use
> this profile with desktop apps, just use the web server profile.
> 

That's true. Although code_and_token is intended to solve that - you get the access token in the response, and then you can use the code to exchange for a refresh token on the server side if you need longer term access. There's no reason for a user agent to ever have a refresh token (since the performance optimization doesn't make sense when you are refreshing after an expiration period)

> Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth