Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-dyn-reg

Hi Keith,

comment see below.

Am 10.01.2013 um 22:54 schrieb "Boone, Keith W (GE Healthcare)" <keith.boone@ge.com>:

> <snip>
>  
> Imagine the case where I purchase an application and download it to my iPhone and to my iPad.  Then I connect that application to a data holder/authorizer combination it hasn't seen before.  Through dynamic client registration, I could register that application for my iPhone, but the instance of that same application running on my iPad would know nothing about the first registration.  So it would attempt to do it all over again.  What happens here?

Is this a problem? The user should be able the data she desires from both app, independent of the client id.

What do your want to achieve? I don't understand why different instances of an app need to be aware of each other. I would assume a user wants to access the same data from all those instances. But this is merely controlled by the user identity with the app.

I see two possible scenarios:

a) the app does not have an user management but relies on the user to setup the connection to a particular resource server. The user would do this on every device, i.e. every app instance would carry out the OAuth dance with the particular authorizer.

b) the app has their own user management. So the user would 1) register for an account and 2) connect this account to the resources managed by the authorizer. Assumption: the app has an backend and stores user data there. On the second device, the user has only to login using her app account and is done.

Regards,
Torsten.

>  
>             Keith
> _________________________________
> Keith W. Boone
> Standards Architect
> GE Healthcare
> 
> M +1 617 640 7007
> keith.boone@ge.com
> www.gehealthcare.com
> 
> 116 Huntington Ave
> Boston, MA 02116
> USA
> GE imagination at work
>  
> From: Richer, Justin P. [mailto:jricher@mitre.org] 
> Sent: Thursday, January 10, 2013 4:39 PM
> To: Boone, Keith W (GE Healthcare)
> Cc: oauth@ietf.org WG
> Subject: Re: Mail regarding draft-ietf-oauth-dyn-reg
>  
> Interesting use case, and not dissimilar to some others I've heard. How would you go about tracking this? Why would the instances need to know about each other?
>  
> One possible approach would be to use a common initializing Request Access Token that is used to call client_register on all instances of a given client. They wouldn't know about each other, per se, but the Authorization Server would at least know enough to be able to tie them together.
>  
> There's also the OAuth2 Instance Information extension that I had tried to push a few years ago that comes up every now and again, that might be of use here with some modifications:
>  
> http://tools.ietf.org/html/draft-richer-oauth-instance-00
>  
> I think I'd like to know more about your concerns and the parameters of your use case first. 
>  
> I am CC'ing the IETF OAuth Working Group email list, where this draft is being discussed and worked on.
>  
>  -- Justin
>  
> On Jan 10, 2013, at 4:24 PM, "Boone, Keith W (GE Healthcare)" <keith.boone@ge.com> wrote:
> 
> 
> I would like to be able to use this protocol to dynamically register clients, but am challenged by the fact that there could be multiple instances of a public client, each unaware of what others have done.  The current protocol doesn't seem to address this.
> 
>             Keith
> _________________________________
> Keith W. Boone
> Standards Architect
> GE Healthcare
> 
> M +1 617 640 7007
> keith.boone@ge.com
> www.gehealthcare.com
> 
> 116 Huntington Ave
> Boston, MA 02116
> USA
> GE imagination at work
>  
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth