Re: [OAUTH-WG] native app support (was: Next draft)
David Recordon <recordond@gmail.com> Tue, 08 June 2010 18:45 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AFDD3A6893 for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 11:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LT3bvi7dPCGZ for <oauth@core3.amsl.com>; Tue, 8 Jun 2010 11:45:40 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id D63343A6890 for <oauth@ietf.org>; Tue, 8 Jun 2010 11:45:37 -0700 (PDT)
Received: by gyh4 with SMTP id 4so3491473gyh.31 for <oauth@ietf.org>; Tue, 08 Jun 2010 11:45:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=f73SMCIbwCj+eq2KlpB8qPEwsxW3hV8phC8BLXA+7s0=; b=F3zlXLzo9yBSj8Dm1dddiOVa/gEIea/vEKm/LxcmHd4eod2+GnP4bSGSCaKt5CGTtk p8nMvESeEBfMhwUXDOAIznBv1+7BiJ6Guf9hHygcXDJYXOdAxL+KZK7SWne49arq+Qdp QqdEr5p8l5yN01PLwgISay0VNSORbPdOxCruI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=j5jVRQlaWXP8RQbooQ7VfhvBr6Y4fr1RbIIXHnhI2hLsp3StAXmZ541CZpIhA8MQnc xpcf6UM+Mz5/a4VPU1kwAd5oFEE8oOPYVptCN0BHRShbDoSRZz+I7AaN5yBbRjEtxaIp S/mk5cszRFM53XPZV2mU40McP45vHrGB26CtQ=
MIME-Version: 1.0
Received: by 10.100.50.17 with SMTP id x17mr17127743anx.11.1276022733504; Tue, 08 Jun 2010 11:45:33 -0700 (PDT)
Received: by 10.231.192.4 with HTTP; Tue, 8 Jun 2010 11:45:33 -0700 (PDT)
In-Reply-To: <AANLkTikkG3T_DYKhjMbyYayi7SzZel3RJXFSguxq7SSZ@mail.gmail.com>
References: <AANLkTikkG3T_DYKhjMbyYayi7SzZel3RJXFSguxq7SSZ@mail.gmail.com>
Date: Tue, 08 Jun 2010 11:45:33 -0700
Message-ID: <AANLkTimKWnuYd1j6b-sH_Ctt0ZYK67jj0ga64lrcv_Tt@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] native app support (was: Next draft)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2010 18:45:41 -0000
Hey Marius, 1) Feels like this should be in an unregistered client spec. 3) Why would a device which intends to open a web browser use the device flow to start? Wouldn't it just use the user agent flow? 4) Yes, but should be a separate document. Thanks, --David On Tue, Jun 8, 2010 at 10:46 AM, Marius Scurtescu <mscurtescu@google.com> wrote: > In order to properly support native applications I suggest the > following changes: > > 1. client_name > > In all flows when client_id is sent also allow for an optional > client_name. This optional parameter is meant as a display name for > the client, and it is useful in all unregistered cases, not only for > native apps. > > If the client is unregistered then most likely the authz server will > require that client_id be set to a predefined value like "anonymous". > The approval page does need a client name so it can tell the user who > it is granting access for. > > > 2. optional redirect_uri (default result page) > > Some native apps do not have a redirect_uri, as a result two things are needed: > > 2.1 Either make redirect_uri optional or define a standard value that > signals that the client does not have such a page. > > 2.2 The authz server must supply a default result page, if there is no > redirect_uri. Also, this page should put the verification code and the > client state (code and state) in the page title in a standard way such > that the native app can extract them from the window title. WRAP > defined how the title should be formed. > > > 3. device flow should be able to start user-agent > > The device flow can be used by native apps in which case there is a > browser on the device. This flow should be able to start a browser and > directly take the user to the end-user verification URI with the user > code added as a query parameter (so the user is not required to do any > manual entry). This is sort of possible right now, but the handler > behind verification_uri must expect an optional user_code (in which > case it should not prompt the user). > > > 4. section with guidance for native apps > > I think the spec needs a section that explains how native apps can be > used with OAuth 2. Not sure if it is worth getting into pros and cons > for each flow, but all flows can be used. > > > Marius > > > > On Mon, Jun 7, 2010 at 8:44 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: >> I still need to catch up on the list (I took a little break). I plan to post a new draft this week incorporating many editorial changes discussed at the interim meeting. I am also planning of removing some non-stable features (such as discovery and signatures) from the draft and moving them to new drafts. As soon as -06 is published, I plan to issue informal last-calls for each section so that we can lock down the normative portions of the draft. >> >> If you have any must-happen changes for -05 that were not already posted to the list, please let me know. >> >> EHL >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] native app support (was: Next draf… Marius Scurtescu
- [OAUTH-WG] native app support (was: Next draft) Marius Scurtescu
- Re: [OAUTH-WG] native app support (was: Next draf… David Recordon
- Re: [OAUTH-WG] native app support (was: Next draf… Torsten Lodderstedt
- Re: [OAUTH-WG] native app support (was: Next draf… Marius Scurtescu
- Re: [OAUTH-WG] native app support (was: Next draf… Torsten Lodderstedt
- Re: [OAUTH-WG] native app support (was: Next draf… Marius Scurtescu
- Re: [OAUTH-WG] native app support (was: Next draf… Eran Hammer-Lahav
- Re: [OAUTH-WG] native app support (was: Next draf… Marius Scurtescu
- Re: [OAUTH-WG] native app support (was: Next draf… Eran Hammer-Lahav
- Re: [OAUTH-WG] native app support (was: Next draf… Marius Scurtescu
- Re: [OAUTH-WG] native app support (was: Next draf… Eran Hammer-Lahav
- Re: [OAUTH-WG] native app support (was: Next draf… Eran Hammer-Lahav
- Re: [OAUTH-WG] native app support (was: Next draf… Marius Scurtescu
- Re: [OAUTH-WG] native app support (was: Next draf… Luke Shepard
- Re: [OAUTH-WG] native app support (was: Next draf… Luke Shepard
- Re: [OAUTH-WG] native app support (was: Next draf… Marius Scurtescu
- Re: [OAUTH-WG] native app support (was: Next draf… Brian Eaton
- Re: [OAUTH-WG] native app support (was: Next draf… Luke Shepard