Re: [OAUTH-WG] OAuth 2 for Native Apps
Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 01 July 2010 22:06 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DF473A694E for <oauth@core3.amsl.com>; Thu, 1 Jul 2010 15:06:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.495
X-Spam-Level:
X-Spam-Status: No, score=-1.495 tagged_above=-999 required=5 tests=[AWL=0.754, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujFac-I1joT0 for <oauth@core3.amsl.com>; Thu, 1 Jul 2010 15:06:02 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.29.24]) by core3.amsl.com (Postfix) with ESMTP id CA2063A692C for <oauth@ietf.org>; Thu, 1 Jul 2010 15:06:01 -0700 (PDT)
Received: from p4fff04a2.dip.t-dialin.net ([79.255.4.162] helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OURtc-0004bT-OQ; Fri, 02 Jul 2010 00:06:12 +0200
Message-ID: <4C2D1153.90507@lodderstedt.net>
Date: Fri, 02 Jul 2010 00:06:11 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <AANLkTil1BK4e6o6XSztS31Y-RhXgn01MByP7EBP9twwl@mail.gmail.com> <AANLkTinYLwvJy5T5ZRRpSWj48TvSBzcno93mkDyI63Fi@mail.gmail.com> <AANLkTimOWWZ_fc9KUzS6ZJxvDc_RfL-hoWOVxo-azELU@mail.gmail.com> <4C259112.2040901@lodderstedt.net> <AANLkTikbPNugfdxVGthe7qVrxPTpDoya_b_v42M8wrdk@mail.gmail.com>
In-Reply-To: <AANLkTikbPNugfdxVGthe7qVrxPTpDoya_b_v42M8wrdk@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2010 22:06:03 -0000
you are right. So the only trustworthy way to enter credentials is an external browser? regards, Torsten. Am 28.06.2010 20:11, schrieb Marius Scurtescu: > On Fri, Jun 25, 2010 at 10:33 PM, Torsten Lodderstedt > <torsten@lodderstedt.net> wrote: > >> comment/question regarding the Embedded Browser scenario: Is the URL bar and >> SSL verification symbols (lock + green bar) visible in that scenario? >> Otherwise, the user has no chance to verify the identity of the IDP/OAuth >> server. So there might be problems regarding password phishing . >> > AFAIK the URL bar is not visible. > > Who would phish the end user? If it is the native app, then all bets > are off regardless, the native app can show a fake address bar if it > really wants. > > Marius > > > >> regards, >> Torsten. >> >> Am 22.06.2010 02:54, schrieb Marius Scurtescu: >> >>> Here is the wiki page: http://wiki.oauth.net/OAuth-2-for-Native-Apps >>> >>> Feel free to edit or comment. >>> >>> Marius >>> >>> >>> >>> On Wed, Jun 9, 2010 at 10:59 AM, David Recordon<recordond@gmail.com> >>> wrote: >>> >>> >>>> Want to put this on the wiki http://wiki.oauth.net/? >>>> >>>> >>>> On Mon, Jun 7, 2010 at 12:25 PM, Marius Scurtescu<mscurtescu@google.com> >>>> wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> I attached a document that summaries how native applications can use >>>>> OAuth 2. >>>>> >>>>> Feedback more than welcome, especially if you have experience with >>>>> native apps and OAuth. >>>>> >>>>> The current Web Server and Device flows need small changes and >>>>> clarifications in order to properly support native apps, I will start >>>>> a separate thread on that. >>>>> >>>>> Marius >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> >>
- [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps David Recordon
- Re: [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2 for Native Apps Marius Scurtescu
- Re: [OAUTH-WG] OAuth 2 for Native Apps Torsten Lodderstedt