Re: [OAUTH-WG] Clarification of "client application consisting of multiple components"

nov matake <nov@matake.jp> Sun, 11 March 2012 17:21 UTC

Return-Path: <nov@matake.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F08421F8619 for <oauth@ietfa.amsl.com>; Sun, 11 Mar 2012 10:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJhpJ7OmT6Ti for <oauth@ietfa.amsl.com>; Sun, 11 Mar 2012 10:21:30 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED1F21F8648 for <oauth@ietf.org>; Sun, 11 Mar 2012 10:21:25 -0700 (PDT)
Received: by dakl33 with SMTP id l33so4326422dak.31 for <oauth@ietf.org>; Sun, 11 Mar 2012 10:21:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=AMNXhbIiPP3CCA1ABqpjqDO4n8p/gOQL1L/j4GG0NkM=; b=QMFJEtU/r+oUCmVHqLqgxMnNV+KXqcbEzb38Q/lcBsgiyZzqKyH2uPZ17Jfnu2dXzy vSJFHcZCO1ar7s93KttddnAWwXqUDfhXlvK/wHIqBuNJDHFPJMjYUXz1Q663Af0Awvo7 QqQFb/nl+nEQKRzIPAjulArRir4jx2Er5ctQEQZcAzPj1xsKWibsqdpnHPUEQDWKfBpZ KBmEhuSjuquXom2Kg3irZrYo8OmSK9BIl7Cv6j0ZYYWGtIag8xxYYzS6xBX/SRL+W8Ca pqA7RQCgS5UzC5K3xK8UsXsULlfMOudk3lXEbgC3KJc/fTb6U9XyU7t1FQ0NshEXavuR 1NlA==
Received: by 10.68.219.41 with SMTP id pl9mr10069406pbc.122.1331486485651; Sun, 11 Mar 2012 10:21:25 -0700 (PDT)
Received: from [192.168.1.106] (q032020.dynamic.ppp.asahi-net.or.jp. [203.181.32.20]) by mx.google.com with ESMTPS id j3sm8517189pbb.29.2012.03.11.10.21.23 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 11 Mar 2012 10:21:24 -0700 (PDT)
References: <62D85564-7961-4AB6-B1FA-B2DD75A4C74B@matake.jp> <90C41DD21FB7C64BB94121FBBC2E723453AFF08605@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF08605@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Message-Id: <C129DBDE-09EE-42F9-8530-5D777A3457DE@matake.jp>
X-Mailer: iPhone Mail (9B176)
From: nov matake <nov@matake.jp>
Date: Mon, 12 Mar 2012 02:21:18 +0900
To: Eran Hammer <eran@hueniverse.com>
X-Gm-Message-State: ALoCoQkx6wMdPeZLJvaRTk7zPvk1PitLV7KArpjhCtEqiw8dnPg3ecICi4tUtO4O3ofUpkcEciot
Cc: nov matake <nov@matake.jp>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Clarification of "client application consisting of multiple components"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Mar 2012 17:21:31 -0000

So what is the usecase of response_type=token%20code ?
I thought, in that usecase, token was for the client's client-side component, code was for the client's server-side component, and both of them have the same client_id.

--
nov

On Mar 12, 2012, at 12:57 AM, Eran Hammer <eran@hueniverse.com> wrote:

> If you have two components each with different security profile, you must assign each a different client_id. Otherwise, there is no way to enforce the rest of the spec's security requirements.
> 
> EH
> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of nov matake
>> Sent: Sunday, March 11, 2012 8:25 AM
>> To: oauth@ietf.org WG
>> Subject: [OAUTH-WG] Clarification of "client application consisting of multiple
>> components"
>> 
>> Hi,
>> 
>> I just found this sentence in the latest draft.
>> 
>> Does it mean "an application consisting of server-side and client-side
>> component (eg. foursquare iPhone app) MUST have separate client_id for
>> each component" ?
>> Or can I image something like Facebook is doing right now? (register each
>> component for a single client_id separately)
>> 
>> ==
>> A client application consisting of multiple components, each with its own
>> client type (e.g. a distributed client with both a confidential server-based
>> component and a public browser-based component), MUST register each
>> component separately as a different client to ensure proper handling by the
>> authorization server.  The authorization server MAY provider tools to manage
>> such complex clients through a single administration interface.
>> ==
>> 
>> --
>> nov <nov@matake.jp>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth