Re: [OAUTH-WG] Manual Authorization Codes -- Help/Feedback requested

Shane B Weeden <> Wed, 11 January 2012 21:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B8ABD11E80C2 for <>; Wed, 11 Jan 2012 13:25:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NSn1IZXdnZIY for <>; Wed, 11 Jan 2012 13:24:59 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 5B4A311E80BB for <>; Wed, 11 Jan 2012 13:24:58 -0800 (PST)
Received: from /spool/local by with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <> from <>; Wed, 11 Jan 2012 21:21:52 +1000
Received: from ([]) by ([]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 11 Jan 2012 21:21:49 +1000
Received: from ( []) by (8.13.8/8.13.8/NCO v10.0) with ESMTP id q0BLKGf93375336; Thu, 12 Jan 2012 08:20:18 +1100
Received: from (loopback []) by (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q0BLOfpe021213; Thu, 12 Jan 2012 08:24:41 +1100
Received: from ( []) by (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q0BLOfj3021207; Thu, 12 Jan 2012 08:24:41 +1100
In-Reply-To: <>
References: <> <> <> <> <>
X-KeepSent: C819BEC0:7B1531C7-4A257982:0073D8FB; type=4; name=$KeepSent
To: Gregory Prisament <>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <>
From: Shane B Weeden <>
Date: Thu, 12 Jan 2012 07:14:43 +1000
X-MIMETrack: Serialize by Router on d23ml004/23/M/IBM(Release 8.5.2FP1HF437 | June 7, 2011) at 12/01/2012 08:28:46
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
x-cbid: 12011111-7014-0000-0000-000000673C2D
Subject: Re: [OAUTH-WG] Manual Authorization Codes -- Help/Feedback requested
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Jan 2012 21:25:00 -0000

You can also use the authorization code flow with a form of custom (e.g.
manual) delivery of the authorization code from the authorization server to
your client rather than via a redirect.

Some important points about that:
The resource owner must still visit the real authorization endpoint with a
browser to authenticate and grant authorization. The authorization server
can (e.g. for manual delivery) display the azn code on the browser screen.
The resource owner in concert with the authorization server must ensure
secure timely delivery of the authorization code to the client without it
being leaked. The authorization code should have a short lifetime allowing
only sufficient time for the client to get and use it.
The client must exchange the authorization code for an access [and refresh]
token as soon as possible then securely store those for future use.

The safe and secure delivery of the authorization code to the client has
been discussed in several contexts including native mobile apps. Redirects
with custom URI schemes, backchannel delivery via notification services,
and manual delivery such as discussed above are all possible. The core spec
doesn't describe these variants in detail but there is no reason an
authorization server can't implement them.


From:	Justin Richer <>
To:	Gregory Prisament <>
Date:	12/01/2012 06:50 AM
Subject:	Re: [OAUTH-WG] Manual Authorization Codes -- Help/Feedback
Sent by:

You definitely can do that with an app-specific password using the
resource owner password flow, but if you're already doing OAuth, why
would you want to?

The Device flow fell by the wayside not because people didn't see value
in it -- many do -- but nobody in the group was actively implementing
against it and nobody wanted to pick up editorship of it. David did us
the courtesy of at least capturing those parts of the protocol into a
document so that they wouldn't be lost entirely, but what it really
needs now is an editor to step up and see it through to completion. This
WG is planning to recharter or re-form or something in the near future,
and if there's a champion behind the Device doc (and someone willing to
do the actual work of editing the text), then we'll see it come up again.

  -- Justin

On 01/11/2012 01:49 PM, Gregory Prisament wrote:
> Correction: Last paragraph should read:
> ... Do you think an authorization server could implement
> application-specific passwords, passing it off as the "resource owner
> credentials" grant type...
> On Wed, Jan 11, 2012 at 10:47 AM, Gregory Prisament
> <>  wrote:
>> Thanks for the link, that's very similar to what I'm going for.
>> Any idea why people lost interest in the Device Flow?  It seems like a
>> useful option to have!
>> Also, in doing some research, I came across Google's
>> "application-specific passwords", which seem to be another way to
>> solve this problem.
>> Any thoughts on application-specific passwords.  Do you think an
>> authorization server could implement application-specific passwords,
>> passing it off as the "client credentials" grant type.  Would that be
>> in spec?
>> Cheers,
>> Greg
>> On Tue, Jan 10, 2012 at 11:47 AM, Justin Richer<>
>>> What you're describing is the Device Flow, which was pulled out of the
>>> document a while ago and now sits here, somewhat outdated and unloved:
>>> In this, the app gives the user a short code that they enter into a
URL, do
>>> the authorization there, and get a short code back. It's effectively
>>> same as the auth code flow, but it does the dance without HTTP
>>>   -- Justin
>>> On 01/10/2012 02:23 PM, Gregory Prisament wrote:
>>>> Hello,
>>>> I am developing a REST API and trying to follow the OAuth 2.0 protocol
>>>> for authentication, and have a few questions for you good folks.
>>>> The use case I'm interested in is native applications (such as linux
>>>> command-line programs) that are unable or unwilling to involve a
>>>> user-agent.  In this case, it seems redirection-based flows
>>>> ("Authorization Code" and "Implicit Grant Types") are out!  That
>>>> leaves "Client Credentials" and "Resource Owner Credentials".
>>>> "Client Credentials" do not seem appropriate because the client may be
>>>> installed on multiple machines and used by different resource owners.
>>>> "Resource Owner Credentials" COULD work, but I'd rather not require
>>>> the resource owner to reveal their username and password.
>>>> One solution, which seems reasonable to me, would be to extend OAuth2
>>>> to include another grant type called "Manual Authorization Code".
>>>> Using a web browser, the resource owner would login&    authenticate
>>>> with the authorization server (using session log-on, etc).  From there
>>>> they could enter an Application ID and press a button "Generate Manual
>>>> Authorization Code".  The resource owner would then type this Manual
>>>> Authorization Code into the client, and the client could exchange it
>>>> for an Access Token.
>>>> But before I go down this route -- writing an extension, etc.. -- I
>>>> wanted the WG's feedback.  It seems there are a few different ways to
>>>> handle this use case and was curious which you think best matches the
>>>> intentions of the OAuth2 spec.
>>>> (1) "Manual Authorization Code" extension.
>>>> See description above.
>>>> (2) "Client Credentials" with each resource owner registering a
>>>> client.
>>>> We could achieve a similar effect to (1) by using "Client
>>>> Credentials".  Say the client is a command-line program
>>>> "example-client-cli", which a large number of resource owners have
>>>> downloaded and installed.  Each resource owner would register the
>>>> client with the authorization server and configure their local install
>>>> by telling it the client_id and client_secret.
>>>> (3) Something else entirely?
>>>> (Q1) Has the WG thought about this particular use case ("CLI clients")
>>>> and do you have a recommended authorization approach.
>>>> (Q2) Do Manual Authorization Codes make sense?  Would anyone else find
>>>> it useful to have - if I were to write up an extension document for
>>>> it?
>>>> Thanks in advanced for you help!
>>>> Cheers,
>>>> Greg Prisament
>>>> Software Architect
>>>> PowerCloud Systems
>>>> _______________________________________________
>>>> OAuth mailing list
>> --
>> Greg Prisament
>> Software Architect
>> PowerCloud Systems
>> mobile: (914) 374-3587

OAuth mailing list