Re: [OAUTH-WG] user-agent flow needs a rewrite
Bouiaw <bouiaw@gmail.com> Wed, 21 July 2010 09:47 UTC
Return-Path: <bouiaw@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A54303A6BA8 for <oauth@core3.amsl.com>; Wed, 21 Jul 2010 02:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbV+dNq9MQgl for <oauth@core3.amsl.com>; Wed, 21 Jul 2010 02:47:41 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 55F263A6BA3 for <oauth@ietf.org>; Wed, 21 Jul 2010 02:47:41 -0700 (PDT)
Received: by wwj40 with SMTP id 40so1712737wwj.13 for <oauth@ietf.org>; Wed, 21 Jul 2010 02:47:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=anZG7x7Y35oZuvhDMfxLXAyPxgsheJl7edGRuEBphgk=; b=Uq/Z7pTZtVbhLBQ/tJZVuGhMKDCs+9SjR5FM162H4qakCIrKQsLCJwEtpreKNZQ0J2 gFOevFfYEZ2j//xXoZwYDFPdd5oMGzSrDBU/Q6OPqYdUWV8zGLDn/uoB3XBfKTdKuNQo THYNES4cuSYe6LPCZRHfjK+xYex/gElcGcYZE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=NqFTzFmg1kxsVA15ZMt4IRwulX2b4Qot1d4+TAKIKCYJypFfZwHNcS+71//Ja+BHDw L3SjpioOKv6BLSnhiUaym5JwAmTu4HDlFayZ5RSO/nSqRMmQI1oRNxSqn4G1whb90vCO fcLSmtZaFuVNAz/3N8pSfrlwon5BPH1LG7Jpk=
MIME-Version: 1.0
Received: by 10.216.185.131 with SMTP id u3mr6167739wem.28.1279705676746; Wed, 21 Jul 2010 02:47:56 -0700 (PDT)
Received: by 10.216.176.3 with HTTP; Wed, 21 Jul 2010 02:47:56 -0700 (PDT)
In-Reply-To: <AANLkTikfk5kBhNazxH4H0gaSEKaQKFmXU0cCuPVJPMjF@mail.gmail.com>
References: <AANLkTin98uuCmGfr-X0A7JrN1LfUwKlb2RF3FYhJTDev@mail.gmail.com> <C8623017.37208%eran@hueniverse.com> <AANLkTikfk5kBhNazxH4H0gaSEKaQKFmXU0cCuPVJPMjF@mail.gmail.com>
Date: Wed, 21 Jul 2010 11:47:56 +0200
Message-ID: <AANLkTikMbT-KSXKrfAGsVD_Eozgr5OHDuZmsCqFNmMKW@mail.gmail.com>
From: Bouiaw <bouiaw@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 09:47:42 -0000
Could you explain how the token fragment is removed between step C and D in the user agent profile ? I don't understand how the http redirect request can be modified by the user agent .... On Wed, Jul 14, 2010 at 7:58 AM, Naitik Shah <n@daaku.org> wrote: > Thanks! That sounds great. > > On Tue, Jul 13, 2010 at 3:00 PM, Eran Hammer-Lahav <eran@hueniverse.com> > wrote: >> >> This is clearly a third flow - hybrid (of user-agent and web-server) - and >> not just a variant of the user-agent flow. It should be presented with its >> own flow diagram and description. I also think the user-agent and >> web-server >> flow names are misleading. They need to be replaced with more descriptive >> names. Something like (I don¹t like these, just trying to demonstrate): >> >> Web-server --> 2 step flow (get code, get token) >> User-agent --> direct flow (get token) >> Hybrid --> hybrid flow (get code and token, get token) >> >> In an attempt to accommodate Brian's request for more concentrated flow >> descriptions, I am working on coming up with come middle ground between >> -05 >> and -10. >> >> ---- >> >> As for the specification of the end-user authorization endpoint: >> >> Please answer this based on actual use cases. When returning parameters >> using the redirection URI call, which of these combinations make sense? >> >> | Code | Token | Code & Token >> ---------+------+-------+-------------- >> Fragment | a | 1 | 3 >> Query | 2 | b | c >> Split* | n/a | n/a | d >> >> * token in fragment, code in query >> >> Known use cases: >> >> 1 - current user-agent flow >> 2 - current web-server flow >> 3 - as described by Brian and Naitik >> >> Questionable use cases: >> >> a - >> b - >> c - >> d - current -10 code-and-token proposal >> >> EHL >> >> >> On 7/13/10 2:27 PM, "Naitik Shah" <n@daaku.org> wrote: >> >> > On Tue, Jul 13, 2010 at 2:06 PM, Eran Hammer-Lahav <eran@hueniverse.com> >> > wrote: >> >> This looks reasonable, however, I am no longer see the value in the >> >> hybrid >> >> mode of token and code. If the code is passed in the fragment, the >> >> client has >> >> to pass it to the server. If that is the case, why can¹t the server >> >> reply >> >> back with the access token? Is the entire purpose just a performance >> >> optimization so the client doesn¹t have to wait for the server response >> >> before it has an access token? >> >> >> > >> > I think there are two use cases here, and they are not mutually >> > exclusive. >> > Some apps are mostly just server side, and would end up doing a full >> > page >> > refresh, and here the code in the query param would probably be >> > acceptable. >> > Some apps are mostly just client side, and here the code is irrelevant >> > and the >> > access token in the fragment is all that matters. But we also have >> > hybrids >> > where we want the code in a cookie/JS callback, and we'll also use the >> > access >> > token on the client to dynamically update the UI by accessing some >> > protected >> > data (this is what the Data enabled XFBML tags do in the Facebook JS SDK >> > for >> > instance). While the server can do the code to access_token exchange, it >> > can't >> > return it to the JS safely if it does not support https. Even if it did, >> > it >> > would mean more overhead for the developer to build an endpoint that >> > does this >> > work and cooperates with a JS SDK which wants the access_token for >> > making API >> > calls. >> > >> > >> > -Naitik >> > >> > >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Luke Shepard
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite David Recordon
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Blaine Cook
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Bouiaw