IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Marius Scurtescu <mscurtescu@google.com> Wed, 16 February 2011 21:38 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 83EA43A6EE0 for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 13:38:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1m42BMMYb1yQ for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 13:38:39 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 7BCE43A6DDF for <oauth@ietf.org>; Wed, 16 Feb 2011 13:38:39 -0800 (PST)
Received: from kpbe20.cbf.corp.google.com (kpbe20.cbf.corp.google.com [172.25.105.84]) by smtp-out.google.com with ESMTP id p1GLd80k025567 for <oauth@ietf.org>; Wed, 16 Feb 2011 13:39:08 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1297892348; bh=A0noJ/rLsV9ZYJrrZA30cUvsyJE=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=cgKiADrZmFtFcJIw8kXrV9NeYQQhm8u8JcZAFNzBHjeDGKr/ZIRFsvH6vGk5BLWX7 pvmwNvlhOBfVkl6DpFvhQ==
Received: from yib12 (yib12.prod.google.com [10.243.65.76]) by kpbe20.cbf.corp.google.com with ESMTP id p1GLc679024988 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 16 Feb 2011 13:39:07 -0800
Received: by yib12 with SMTP id 12so934364yib.24 for <oauth@ietf.org>; Wed, 16 Feb 2011 13:39:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=UEsM6BP4SOFpBDIUPBx4FbuzAbndf1vLjBWbNnhqmtI=; b=xBLdakSxrIcemwbNIxa01OiPFBVfUF8jMvwOPmZGlfPdtWouqIzAeqEktn0UmlPUGO TuPrTU/6Y1umImVW6Z8g==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=j1LE6/HpEg5XXIgpACSQgc8xjNeczZKcwWcqkQB/cKrcCYWgNlB9phr01een5UwJPL zntftI3W2xKJjgbfbLYA==
Received: by 10.101.8.27 with SMTP id l27mr485449ani.130.1297892346697; Wed, 16 Feb 2011 13:39:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.12.3 with HTTP; Wed, 16 Feb 2011 13:38:45 -0800 (PST)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723445A91D3F9A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3EE9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimjWkO8o+z+P=AKpyYkSjTh6oS7uM9N0JwR_vR6@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F44@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTi=tvwsR=_EhPRkYEwC+ERwRCNN2aAWDqRDvwx8B@mail.gmail.com> <FFDFD7371D517847AD71FBB08F9A315638493F514F@SP2-EX07VS06.ds.corp.yahoo.com> <AANLkTimxhoK1vt8HwSF9dvu4Z5xjqrLLb2SULj9pp=9b@mail.gmail.com> <AANLkTi=DtgpWNyEKBg=0GhOWuqSvzF5q0SJQgfZNRm8M@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F9A@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 16 Feb 2011 13:38:45 -0800
Message-ID: <AANLkTindJ3oGpggvZ7jRJ4TRhTRomyZG+DwLOfbHD2kq@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 21:38:40 -0000

On Wed, Feb 16, 2011 at 12:28 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> The reason why we don't return a refresh token in the implicit grant is exactly because there is no client authentication...

Not sure that's the main reason. AFAIK it is because the response is
sent through the user-agent and it could leak.


> These are all well-balanced flows with specific security properties. If you need something else, even if it is just a tweak, it must be considered a different flow. That doesn't mean you need to register a new grant type, just that you are dealing with different implementation details unique to your server.

The Authorization Code flow, with no client secret, is perfectly fine
for Native Apps IMO.

Marius

v2.23.0 | Report a Bug | By Email