Re: [OAUTH-WG] Device profile usage

Justin Richer <jricher@mitre.org> Wed, 29 May 2013 14:22 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51E1921F9017 for <oauth@ietfa.amsl.com>; Wed, 29 May 2013 07:22:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.357
X-Spam-Level:
X-Spam-Status: No, score=-6.357 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZweoq0cIiSs for <oauth@ietfa.amsl.com>; Wed, 29 May 2013 07:22:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9C31421F9060 for <oauth@ietf.org>; Wed, 29 May 2013 07:22:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1E30A1F07AC; Wed, 29 May 2013 10:22:21 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 0D7EF1F05AA; Wed, 29 May 2013 10:22:21 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 29 May 2013 10:22:20 -0400
Message-ID: <51A60EF6.8040403@mitre.org>
Date: Wed, 29 May 2013 10:21:42 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Vincent Tsang <vincetsang@gmail.com>
References: <CANZRnTUyz6wo_5ZfghicGpNEm_=+Aw1=ChdNPdTvKkZS4YApNw@mail.gmail.com> <E625D418-5F83-41EB-BF65-09DEDF003C14@gmx.net> <CANZRnTUS4+_37EtA3bJFDvjWOC=iFzGk1PLHutzx1ijp9kMS_g@mail.gmail.com> <-8470720313341818373@unknownmsgid> <CANZRnTUpyaV6Vd88wkSG_g5tb9QeVGM60czSrpqDdEcqczoXSg@mail.gmail.com> <OF35A0195E.6911A37A-ON85257B7A.0049A8A1-85257B7A.0049D9F2@us.ibm.com> <CANZRnTVcQdobaRSdNLQQR3CtLL_w=q=DLJTGdLe0Kp3-K6-q+w@mail.gmail.com>
In-Reply-To: <CANZRnTVcQdobaRSdNLQQR3CtLL_w=q=DLJTGdLe0Kp3-K6-q+w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060804080102010908060803"
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Device profile usage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 14:22:34 -0000

Yes, it's the app that is granted a token on behalf of the user. This is 
a very classic OAuth pattern.

  -- Justin

On 05/29/2013 10:20 AM, Vincent Tsang wrote:
> The same user could run the app on multiple computers and I want to 
> distinguish each running instance, so I think it's the app?
>
> Thanks.
> Vincent
>
> On Wednesday, May 29, 2013, Todd W Lainhart wrote:
>
>     On behalf of what will the access token be granted - the app (e.g.
>     Word), or the user running the app?
>
>     *
>
>
>     Todd Lainhart
>     Rational software
>     IBM Corporation
>     550 King Street, Littleton, MA 01460-1250**
>     1-978-899-4705
>     2-276-4705 (T/L)
>     lainhart@us.ibm.com <javascript:_e({}, 'cvml',
>     'lainhart@us.ibm.com');>*
>
>
>
>
>
>
>     From: Vincent Tsang <vincetsang@gmail.com <javascript:_e({},
>     'cvml', 'vincetsang@gmail.com');>>
>     To: Nat Sakimura <sakimura@gmail.com <javascript:_e({}, 'cvml',
>     'sakimura@gmail.com');>>,
>     Cc: "oauth@ietf.org <javascript:_e({}, 'cvml',
>     'oauth@ietf.org');>" <oauth@ietf.org <javascript:_e({}, 'cvml',
>     'oauth@ietf.org');>>
>     Date: 05/29/2013 12:31 AM
>     Subject: Re: [OAUTH-WG] Device profile usage
>     Sent by: oauth-bounces@ietf.org <javascript:_e({}, 'cvml',
>     'oauth-bounces@ietf.org');>
>     ------------------------------------------------------------------------
>
>
>
>     The client is a native windows application, for instance, a
>     document editor like MS Word.
>     The editor can upload copies to the cloud (e.g. Amazon S3), then
>     record the version history and notes associated with each cloud
>     copy to our cloud service via our cloud application API (to be
>     secured by OAuth access tokens).
>     I think it's similar to the case with a media player application
>     (like VLC/Windows Media Player) that sends playlist/history info
>     to the cloud via some cloud application API.
>     I'm just not sure which of the 4 scenarios described in the OAuth
>     spec could fit in here...
>
>     Thanks.
>     Vincent
>
>
>     On Wed, May 29, 2013 at 11:38 AM, Nat Sakimura
>     <_sakimura@gmail.com_ <javascript:_e({}, 'cvml',
>     'sakimura@gmail.com');>> wrote:
>     A little more application and user context would help.
>     A use case, so to speak.
>
>     Nat
>
>     2013/05/29 12:04?Vincent Tsang <_vincetsang@gmail.com_
>     <javascript:_e({}, 'cvml', 'vincetsang@gmail.com');>> ??????:
>
>     > Hi Hannes,
>     >
>     > Thanks for your reply.
>     > Actually I am new to OAuth and am simply trying to search for
>     the best industrial practice for granting access tokens when the
>     client to our application API is a simple windows applications,
>     which in most cases runs on PC's with web browser installed.
>     > Therefore the scenario doesn't quite match what is described in
>     the document, as the user doesn't need a separate machine to
>     perform the verification; it's just that the client application
>     doesn't have internet browsing capability itself (in this sense
>     it's similar to the "device" described in this document, though
>     not quite) and so user needs to launch a separate browser application.
>     > I ended up on this device profile spec just because it seems to
>     match closer to our scenario when compared to the 4 cases
>     described in the OAuth 2 spec, but it could be the case that I
>     didn't understand it fully.
>     > Maybe I should rephrase my question: could someone please advice
>     what should be the best practice for granting OAuth tokens to
>     clients which are native windows applications?
>     >
>     > Thanks.
>     > Vincent
>     >
>     > _______________________________________________
>     > OAuth mailing list
>     > _OAuth@ietf.org_ <javascript:_e({}, 'cvml', 'OAuth@ietf.org');>
>     > _https://www.ietf.org/mailman/listinfo/oauth_
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <javascript:_e({}, 'cvml', 'OAuth@ietf.org');>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth