IETF Logo Mail Archive

[OAUTH-WG] Native Client Extension

Marius Scurtescu <mscurtescu@google.com> Wed, 29 December 2010 22:52 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F02763A68C2 for <oauth@core3.amsl.com>; Wed, 29 Dec 2010 14:52:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.047
X-Spam-Level:
X-Spam-Status: No, score=-105.047 tagged_above=-999 required=5 tests=[AWL=-3.070, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYErDw9nS9pi for <oauth@core3.amsl.com>; Wed, 29 Dec 2010 14:52:03 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by core3.amsl.com (Postfix) with ESMTP id 83DC23A68C0 for <oauth@ietf.org>; Wed, 29 Dec 2010 14:52:02 -0800 (PST)
Received: from wpaz5.hot.corp.google.com (wpaz5.hot.corp.google.com [172.24.198.69]) by smtp-out.google.com with ESMTP id oBTMs7Mj031242 for <oauth@ietf.org>; Wed, 29 Dec 2010 14:54:07 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1293663247; bh=115MOL1YToMDjUT3tBGf+R47TS8=; h=MIME-Version:From:Date:Message-ID:Subject:To:Content-Type; b=UMlNPJh24OZqwATaTEK2L3GY+fmPz7M8jfWMpKnyydSI3N8nc3di3OTnaFo8M+HHA ZVz9fwB4CXWmLWk+NBOrA==
Received: from yib12 (yib12.prod.google.com [10.243.65.76]) by wpaz5.hot.corp.google.com with ESMTP id oBTMs5Xr031888 for <oauth@ietf.org>; Wed, 29 Dec 2010 14:54:06 -0800
Received: by yib12 with SMTP id 12so2075368yib.10 for <oauth@ietf.org>; Wed, 29 Dec 2010 14:54:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=KIhLEDnbekBpW66YHJqTMet/7S/4XXzJrJWDePlUe4E=; b=FFYxCQ2oZ3+nlTGaRouNFnFyxsJLG9h7sE6BSDCYMKOEJfrLCBVycjivLEpnBh2iUz u9cxGTHRZ7C1KqiDEqFA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:from:date:message-id:subject:to:content-type; b=sKj5zT2iISz7nElr0Ijt+DtiiJnPeZqn7SrSbNzjhvv2i2leFUFBM2YekGpeITVNRE YPf0i6CX0TrEDg0tN0/g==
Received: by 10.100.31.9 with SMTP id e9mr8822045ane.162.1293663245506; Wed, 29 Dec 2010 14:54:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.34.4 with HTTP; Wed, 29 Dec 2010 14:53:45 -0800 (PST)
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 29 Dec 2010 14:53:45 -0800
Message-ID: <AANLkTi=YWLHV1Yi0bdKTaDaBw3X5D6Y_kk3xt7EvJHe_@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Subject: [OAUTH-WG] Native Client Extension
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Dec 2010 22:52:04 -0000

I would like to propose an OAuth 2 extension that helps native clients
close the loop after the approval page. The extension defines a
special value for the redirect URI for the case when the client does
not have such a URI and it also defines that the authorization server
should provide a default result page for this case and how to format
the result on this page.

If a native client does not have a redirect URI then the client can
specify the special value "oob" for that parameter.

redirect_uri=oob signals to the authorization server that it should
use a default result page to show the final result.

In this case the authorization server cannot redirect any kind of
messages back to the client, not even error responses.

The default result page should show the authorization code (code) and
instruct the user to copy to native application.

The default result page should also show both the authorization code
and the passed through client state (state) in the page title, the two
parameters should be form-encoded and appear space separated at the
end of the normal title

Example page title:
<title>Success code=123456&state=qwerty</title>

Browsers will truncate the title at some browser and OS dependent
length. Ideally the whole title should be shorter than 100 characters.
The Authorization Server should use a short title prefix and it should
make the authorization codes as short as possible. Native clients
should try to pass very short state strings and only of really needed.

If the user denies, or there are other errors, the default page should
similarly display the error code and also put the error message in the
title:
<title>Denied error=access_denied&state=qwerty</title>

References:
    * Section 6.3.3.2 of draft-hardt-oauth-wrap-01


If there is interest and rough consensus then I can create a formal
version of this extension.


Thanks,
Marius

v2.23.0 | Report a Bug | By Email