Re: [OAUTH-WG] Questions on urn:ietf:wg:oauth:2.0:oob
Jim Willeke <jim@willeke.com> Tue, 10 October 2017 18:51 UTC
Return-Path: <jim@willeke.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3FB71346BF for <oauth@ietfa.amsl.com>; Tue, 10 Oct 2017 11:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=willeke-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHZetgbMv9Uc for <oauth@ietfa.amsl.com>; Tue, 10 Oct 2017 11:51:26 -0700 (PDT)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 017A71321DC for <oauth@ietf.org>; Tue, 10 Oct 2017 11:50:52 -0700 (PDT)
Received: by mail-oi0-x22e.google.com with SMTP id f66so2604977oib.2 for <oauth@ietf.org>; Tue, 10 Oct 2017 11:50:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willeke-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=r4skaRC3oaaF5ggBHcOXjyWsXldGAT78RLDVTds6KrU=; b=taf6XYCkNKt1v9mCmRfIwJc8GzZeq+JxGCX7orn9Gxk1XXaYGB4btcn1hotJEHS0zW gDajAVbYPN08aOxeqfKRtcH2yPGlzD/iERcSewiDES38XVhN4sjFc1SZ8/RCY4pLzwVS AZT/jFAeb3InmZBK5CTaVNAYTeIwkLxBf5UIA76AW3eGsngnxfvbaImS3UfKW6LNhz3W y2+EhSrtut1igE07hTU4wQ0e0hQauhEvnhYQgRztk8dl40OufSE3zoU5TAKMAWYBcFAx RjCP4Z6VHXpMMwDiIWtj/U/OMf0m6SpVu72DfjSnict6MOwYKIk/WJVNa8p5nF8XsOGG xRIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=r4skaRC3oaaF5ggBHcOXjyWsXldGAT78RLDVTds6KrU=; b=jZ363ofmXvCwuPbQ1mEkI4FEHmEe7TQ38qUMYXX3hg/9gtNH9SF7KwwD/52Y22l2z7 auXcIlmcq+kJMysgGZxghuj8PQbtfxyVUcAqfSoTKN4qaNVl+Z4KrLFZv+bv7S4DXXDW Q28xkl90bYpRJbtKMfCoVagTMsjioo7kN+sUwN51lkz6KSVqWA16HEvMHC2ISsukkj3T eiHEj9lPYkdJdcBWUxVZIwmeesdRAke6/LQnHfFEPnMtGUmiNPNRLFBppQKUm8UcAtUT N2NLPyBNdQneirzec4EUAQYL7DDWGnUAqphBW27ERRy+m/aW/yWLWgKD+ZtEx9B0XfOn kbXA==
X-Gm-Message-State: AMCzsaWSZ0TrIvHNKG0J6ykJxTI6XV8gQTMovzSb1TmjvCZg/5f7FoLE ZTNfaBO+iQT++oDZwao6fLVsV0fb8EhFRI91yFZgVBFe
X-Google-Smtp-Source: AOwi7QAgzzoX6tc1aDNwyM/JuW4WJx6RE0IzO2xNtFnlNS8gNNImsf5Rnm24jcxQwHBSrs5FBVSbYlKfRHoM2p3BD9Q=
X-Received: by 10.202.173.203 with SMTP id w194mr6504041oie.305.1507661451971; Tue, 10 Oct 2017 11:50:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.19.211 with HTTP; Tue, 10 Oct 2017 11:50:11 -0700 (PDT)
In-Reply-To: <5C19128A-51FF-4F3B-AC1A-E04E0ABEC3D5@ve7jtb.com>
References: <CAB3ntOvgXC4jWhGm7qNLSX94v35ZE7E0zy3Q0YZWOh-S+PRpow@mail.gmail.com> <5C19128A-51FF-4F3B-AC1A-E04E0ABEC3D5@ve7jtb.com>
From: Jim Willeke <jim@willeke.com>
Date: Tue, 10 Oct 2017 14:50:11 -0400
Message-ID: <CAB3ntOspMdK=Krqx8YEm+i4rB7CLOKN=AgynEEBvVJiPLYh6gA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113cf59c496d74055b35c903"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XN2pyY1cunA-cGY2HaMVQd4c8H0>
Subject: Re: [OAUTH-WG] Questions on urn:ietf:wg:oauth:2.0:oob
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 18:51:29 -0000
Thanks for all the feedback. -- -jim Jim Willeke On Tue, Oct 10, 2017 at 11:02 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > urn:ietf:wg:oauth:2.0:oob is a google thing that is not part of the OAuth > 2 specification. > > I think it was mostly a windows thing. > > It is not a real redirect URI it is used as a flag to the authorization > server to have the result returned “Out Of Band” and the user cut and paste > the token. > > On windows applications could snoop the title bars of other apps so > programatically retrieve the token value from the title bar. > > I don’t really want to put effort into expanding all the reasons this is > not secure. > > I don’t honestly know what would happen if you sent that redirect URI to a > non Google AS probably nothing good. > It is not part of the OAuth specification and not something people should > use without having a good reason and understanding the security > implications. > > William and I documented several ways to impliment native applications on > OSX and Windows in RFC8252. > > On windows you are really best off using a UWP app and the native token > broker with the code flow. > > Documentation > https://developers.google.com/api-client-library/python/auth/installed-app > > This value signals to the Google Authorization Server that the > authorization code should be returned in the title bar of the browser, with > the page text prompting the user to copy the code and paste it in the > application. This is useful when the client (such as a Windows application) > cannot listen on an HTTP port without significant client configuration. > > When you use this value, your application can then detect that the page > has loaded, and can read the title of the HTML page to obtain the > authorization code. It is then up to your application to close the browser > window if you want to ensure that the user never sees the page that > contains the authorization code. The mechanism for doing this varies from > platform to platform. > > If your platform doesn't allow you to detect that the page has loaded or > read the title of the page, you can have the user paste the code back to > your application, as prompted by the text in the confirmation page that the > OAuth 2.0 server generates. > > John B. > > On Oct 10, 2017, at 8:22 AM, Jim Willeke <jim@willeke.com> wrote: > > Wondering if you could help with Questions on urn:ietf:wg:oauth:2.0:oob as > it appears to be an almost common usage, but no IETF documentation or > registration that we can find on the defined usage. > > This has come up on several occasions. > > - https://stackoverflow.com/q/46643795/88122 > - http://lists.jboss.org/pipermail/keycloak-dev/2014-May/001814.html > - https://github.com/doorkeeper-gem/doorkeeper/issues/514 > - https://www.ietf.org/mail-archive/web/oauth/current/msg09974.html > > > Should it be registered or defined? > (or am I missing something?) > > With best regards, > > -- > -jim > Jim Willeke > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] Questions on urn:ietf:wg:oauth:2.0:oob Jim Willeke
- Re: [OAUTH-WG] Questions on urn:ietf:wg:oauth:2.0… Thomas Broyer
- Re: [OAUTH-WG] Questions on urn:ietf:wg:oauth:2.0… John Bradley
- Re: [OAUTH-WG] Questions on urn:ietf:wg:oauth:2.0… Jim Willeke