Re: [OAUTH-WG] Variant of Web Server Flow w/o direct communication
Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 24 April 2010 07:16 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC68528C0DB for <oauth@core3.amsl.com>; Sat, 24 Apr 2010 00:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.705
X-Spam-Level:
X-Spam-Status: No, score=-0.705 tagged_above=-999 required=5 tests=[AWL=-1.057, BAYES_50=0.001, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76SJesxScIOF for <oauth@core3.amsl.com>; Sat, 24 Apr 2010 00:16:00 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.37]) by core3.amsl.com (Postfix) with ESMTP id 7715B3A6AED for <oauth@ietf.org>; Sat, 24 Apr 2010 00:16:00 -0700 (PDT)
Received: from p4fff2b78.dip.t-dialin.net ([79.255.43.120] helo=[127.0.0.1]) by smtprelay03.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1O5Zaf-0003Oh-4q; Sat, 24 Apr 2010 09:15:49 +0200
Message-ID: <4BD29AA2.1050907@lodderstedt.net>
Date: Sat, 24 Apr 2010 09:15:46 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Evan Gilbert <uidude@google.com>
References: <4BCE071E.5030008@lodderstedt.net> <q2oc8689b661004201745wbf45d637w6c224d09513e7be2@mail.gmail.com> <4BCE8D55.4040708@lodderstedt.net> <y2pc8689b661004210831m7c246bffk3765fe5a2565b7bd@mail.gmail.com> <4BCF3226.2020002@lodderstedt.net> <z2vc8689b661004211723ic920b3fmce4acccbceb68ed1@mail.gmail.com>
In-Reply-To: <z2vc8689b661004211723ic920b3fmce4acccbceb68ed1@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000905080008000104090006"
X-Df-Sender: 141509
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Variant of Web Server Flow w/o direct communication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2010 07:16:01 -0000
Am 22.04.2010 02:23, schrieb Evan Gilbert: > >> >> At one point we had tokens in query string for the User-Agent >> flow, but there were concerns about the security side. Query >> parameters are much more likely to leak in logs and in referrers. >> >> It's not a lot of work to support this functionality with the >> existing User-Agent flow using a boilerplate response page. Page >> would: >> 1. Grab fragment >> 2. Make XMLHttpRequest with access token & refresh token to >> server, or POST a form >> 3. Redirect to destination page. >> >> Would this work? > > I think this would work but is IMHO somehow cumbersome and > requires two requests to the service. > > > I agree it's cumbersome. Hopefully the security folks can respond with > the pros/cons of tokens in the query parameters. I dicussed security considerations in my proposal. Depending on the risk assessment of the application/deployment, one will need to sign the request or encrypt the response. > Alternatively, the authorization server could directly respond > with a HTML page containing a HTML form element with all response > data. This form could automatically be submited to the service > using JavaScript. This would be similar to OpenIds "HTML FORM > Redirection". > > > This is a good idea. Might make sense to support as a best practice - > the form can be static and it's fairly easy for any client to host it. > > We recently had a similar discussion on the Native Application flow on > the OAuth WG thread - decided that we could implement the Native Flow > as the Web Server flow + a simple HTML web page. And the web page > wouldn't be directly part of the spec, but a separately documented > best practice. > > (note - I don't have strong opinions on this - mostly discussing options) I don't know whether the flow can really be implemented w/o standard support. 1) The server has to decide when to respond with conventional redirect and when with HTML FORM Redirection. This could probably be setup on a per client base. 2) The client may not perform the second call in order to retrieve the tokens. Instead it shall use the response parameters. I don't expect libraries to support this behavior as long as the standard does not specifies it. regards, Torsten. > > > regards, > Torsten. > >
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Marius Scurtescu
- [OAUTH-WG] Variant of Web Server Flow w/o direct … Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Evan Gilbert
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt
- Re: [OAUTH-WG] Variant of Web Server Flow w/o dir… Torsten Lodderstedt