IETF Logo Mail Archive

Re: [OAUTH-WG] questions about implicit grant

John Joseph Bachir <j@jjb.cc> Tue, 15 November 2011 17:41 UTC

Return-Path: <johnjosephbachir@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E38321F8B48 for <oauth@ietfa.amsl.com>; Tue, 15 Nov 2011 09:41:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGQ9v++GU3qg for <oauth@ietfa.amsl.com>; Tue, 15 Nov 2011 09:41:17 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 78C4C21F8B45 for <oauth@ietf.org>; Tue, 15 Nov 2011 09:41:17 -0800 (PST)
Received: by faap16 with SMTP id p16so810413faa.31 for <oauth@ietf.org>; Tue, 15 Nov 2011 09:41:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=Pmp9nr6l/LmJupXuzbfAPzsE7Xx4VPggCEgC7XzfJ/4=; b=JszfUg6c8Z0koeFM3Ce3t5hP0emi2Cn6/PbV+3Kc/+8widHLv0B2KgvH+0yw/rpK5P kkPCOaVeC5lDsbRYJuxgUG6kTfy98NHWDDcMtLUN7HlenZoZ/IdSzQoyUD3ooTkh/2cx 4n4V4+e5FIuC5lP641dIFq3gobOtgx5aq7qW4=
MIME-Version: 1.0
Received: by 10.182.124.42 with SMTP id mf10mr4116698obb.5.1321378876330; Tue, 15 Nov 2011 09:41:16 -0800 (PST)
Sender: johnjosephbachir@gmail.com
Received: by 10.182.44.199 with HTTP; Tue, 15 Nov 2011 09:41:16 -0800 (PST)
In-Reply-To: <1321365477.7567.61.camel@ground>
References: <CAOf2Z5vyCN2UTXGdb5TWnyOTGv1A5FYxRqB4a6x-MNJeqfVYJg@mail.gmail.com> <1321365477.7567.61.camel@ground>
Date: Tue, 15 Nov 2011 12:41:16 -0500
X-Google-Sender-Auth: BzPEQhP8GJOgXiLzg5HHEv-lfFE
Message-ID: <CAOf2Z5vEJ1+3aV0y699J9AO4=ZxaCz-JNvo5KdocNwSw-iEtfQ@mail.gmail.com>
From: John Joseph Bachir <j@jjb.cc>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="f46d0444eda18992ba04b1c97e27"
Subject: Re: [OAUTH-WG] questions about implicit grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 17:41:18 -0000

Thanks Justin - some more questions below...



> > What does "public" mean here? In what sense could a client be
> > public or private, and why is implicit grant more appropriate for the
> > public case?
>
> Section 2.1, client types.
>

My understanding of a public client from this section was a client which is
distributed and not hosted on a server, such as a desktop or mobile app.
How is it possible for a web-hosted client to be public?


Step C is the server sending back the HTTP redirect in response to step
> A. Steps D, and E are the user agent following that HTTP redirect. Step
> F is extracting the information from the redirected endpoint. While the
> access token is sent back in step C, scripts running in the user agent
> don't have easy access to it.


Ah whoops, I misread C and D. So here's my real question: Why doesn't the
user agent send the access token to the server in D? Why does the web
server have to deliver a script which extracts it locally? Is it to
facilitate a certain style of applications development?

v2.23.0 | Report a Bug | By Email