Re: [OAUTH-WG] Suitable grant type for a Javascript use case
<philip.kershaw@stfc.ac.uk> Wed, 05 February 2014 11:49 UTC
Return-Path: <philip.kershaw@stfc.ac.uk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DBB11A00E8 for <oauth@ietfa.amsl.com>; Wed, 5 Feb 2014 03:49:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1jeZMkSLg6F for <oauth@ietfa.amsl.com>; Wed, 5 Feb 2014 03:49:28 -0800 (PST)
Received: from engine29-1277-4.icritical.com (engine29-1277-4.icritical.com [212.57.248.93]) by ietfa.amsl.com (Postfix) with ESMTP id A785E1A00B2 for <oauth@ietf.org>; Wed, 5 Feb 2014 03:49:27 -0800 (PST)
Received: by iCritical outbound mailer at engine29-1277-4.icritical.com for oauth@ietf.org; Wed, 05 Feb 2014 11:49:25 +0000
Received: from engine29-1277-4.icritical.com ([127.0.0.1]) by localhost (engine29-1277-4.icritical.com [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 07711-02 for <oauth@ietf.org>; Wed, 5 Feb 2014 11:49:23 +0000 (GMT)
Received: (qmail 7749 invoked by uid 599); 5 Feb 2014 11:49:13 -0000
Received: from unknown (HELO exchsmtp.stfc.ac.uk) (130.246.236.11) by engine29-1277-4.icritical.com (qpsmtpd/0.28) with ESMTP; Wed, 05 Feb 2014 11:49:13 +0000
Received: from EXCHMBX01.fed.cclrc.ac.uk ([169.254.3.132]) by EXCHHUB03.fed.cclrc.ac.uk ([130.246.236.11]) with mapi id 14.02.0318.004; Wed, 5 Feb 2014 11:49:05 +0000
From: philip.kershaw@stfc.ac.uk
To: manfred.steyer@gmx.net
Thread-Topic: [OAUTH-WG] Suitable grant type for a Javascript use case
Thread-Index: AQHPIlJi6GugnXxeXUGov5NHIis8C5qmhscAgAAFHQA=
Date: Wed, 05 Feb 2014 11:49:04 +0000
Message-ID: <836226893590734FA88B31162359477F594D4B3C@EXCHMBX01.fed.cclrc.ac.uk>
References: <20140204161338.9A4007FC168@rfc-editor.org> <CAD9ie-tGtcBaXbJMkCDswMDhGHNbj+qbawaiXrHowPZFPxzUUQ@mail.gmail.com> <1391540170.23334.YahooMailNeo@web142801.mail.bf1.yahoo.com> <836226893590734FA88B31162359477F594D26C9@EXCHMBX01.fed.cclrc.ac.uk> <005701cf2265$b77bd120$26737360$@gmx.net>
In-Reply-To: <005701cf2265$b77bd120$26737360$@gmx.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.246.121.33]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <1FD5F1F35FCD8A4B874AF776BB07455F@fed.cclrc.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Scanned: by iCritical at engine29-1277-4.icritical.com
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Suitable grant type for a Javascript use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 11:49:30 -0000
Hi Manfred, On 5 Feb 2014, at 11:30, Manfred Steyer wrote: > Hi Phil, > > the server won't see the access-code, cause it is returned within the hash > that stays at the client-site: > http://.../returnUri#access_code=ABCDE. > That's excellent. I hadn't picked that up in the text. I think it would be really helpful to have an explicit note in 4.2.2 to highlight this point. Thanks, Phil > By definition, the returnURI has to be the URI that was registered for the > client. IMHO, you are only allowed to add additional URL-Parameters. > > In my opinion, your use-case suits _very_ well to the implicit flow. > > Wishes, > Manfred > > > > > > -----Ursprüngliche Nachricht----- > Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von > philip.kershaw@stfc.ac.uk > Gesendet: Mittwoch, 5. Februar 2014 10:12 > An: oauth@ietf.org > Betreff: [OAUTH-WG] Suitable grant type for a Javascript use case > > Hi all, > > I'm looking to apply OAuth for a particular use case with a Javascript > client and would like to get some guidance with this. Bear with me as I'm > new to this list. > > I have a Javascript client which needs to be deployed on a number of > different sites for which we don't have control over the server-side code. > The client needs to obtain an access token to submit data to another 3rd > party site on behalf of the user. > > We've looked at the Implicit Grant type > (http://tools.ietf.org/html/rfc6749#section-4.2). Our third party site > hosts an Authorisation server and Resource Server. The client provides a > redirect URI to return the token to. My understanding is that the redirect > URI is a security measure to ensure the token is returned to an endpoint > known to the Authorisation Server. > > However, in my case it is only the Javascript client that needs the token. > I can see how the token can be passed to the Javascript via step E in figure > 4. However, we have limited control over the site hosting the Javascript > ('Web-hosted Client Resource' in Figure 4). We can host Javascript but we > can't easily alter any server-side code. There's a danger that the > server-side code will choke when it receives the redirect the URI containing > the access token. I'm wondering if there is a suitable workaround for this. > Can we dispense with the redirect URI or does this compromise security too > far? Perhaps we should be looking at an implementing an alternative grant > type? > > Any help much appreciated. > > Cheers, > Phil-- > Scanned by iCritical. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Scanned by iCritical.
- [OAUTH-WG] [Technical Errata Reported] RFC6749 (3… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Dick Hardt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… John Bradley
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Phil Hunt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Dick Hardt
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Prateek Mishra
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Bill Mills
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… John Bradley
- [OAUTH-WG] Suitable grant type for a Javascript u… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Manfred Steyer
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Prateek Mishra
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Justin Richer
- Re: [OAUTH-WG] Suitable grant type for a Javascri… Prateek Mishra
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] Suitable grant type for a Javascri… philip.kershaw
- Re: [OAUTH-WG] Suitable grant type for a Javascri… John Bradley
- Re: [OAUTH-WG] [Technical Errata Reported] RFC674… Eriksen Costa
- [OAUTH-WG] [Errata Rejected] RFC6749 (3880) RFC Errata System