Re: [OAUTH-WG] oauth with command line clients

Aaron Parecki <aaron@parecki.com> Mon, 12 June 2017 03:58 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3235F129BA8 for <oauth@ietfa.amsl.com>; Sun, 11 Jun 2017 20:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHBd8_cCD-wB for <oauth@ietfa.amsl.com>; Sun, 11 Jun 2017 20:58:21 -0700 (PDT)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33170129BA5 for <oauth@ietf.org>; Sun, 11 Jun 2017 20:58:21 -0700 (PDT)
Received: by mail-pf0-x229.google.com with SMTP id l89so46862637pfi.2 for <oauth@ietf.org>; Sun, 11 Jun 2017 20:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9nDdXrWs+kQXxXbQ63x3UPP6BsT/6EDOfZISuARVb+w=; b=H2oZCNgdtZam0emggV8w6+E0vwqQLWVSIlrLkf1rTBowItV0QYvJqwe6uAqdexvxog N9qzKcWzRkUhyTgtwQijrEWMUQ1uVnhOY0kBQoJdx5ibripm26J1lWcPRfpc4ZqS3vt9 /bnpZIZt6J14WUNdD/RMKFDER4eRvxx4VQTE7PzomdZeQnvEEzV81LcgEYVwI5wutMkZ Bmdrma9ipwOyK/YnpMHLwEZ9mp/I3XczlU7Dm3C3ImwGVmJQNnlz9wDX9rykCkZeSRcs xu8iVL4fvY3V6Gs/1S4OOnKbtIRA6uyvDvpsBsNKpG5cbepLocz6lB1k2HLGDKEMiJo9 qGpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9nDdXrWs+kQXxXbQ63x3UPP6BsT/6EDOfZISuARVb+w=; b=Z7Ma8jTxi5TY7UrtM3/uKrrh8pkvNq4BzPkkUyr7i5InEtjIWQAWel/sTCl+p5WD2y Q+GUNC8ZAbNJ7qacQ06JmuECiU3wgTChBI+D5yoGkJDtYKDoJoWlRzKV7XtBP7SaCFlw /df5VqKb0VmVCRrb+asS3CobesyABHFM6Z4wXFkXF9maewfuQUSfF+LhPrmwR/0qoYh8 ss0n9j5tqUeecrTt8MsxFGtS25oj8o4CpKRLdOiZFyAFl3DczpBydgWSjf62CcU9ia4B +2t7Aw1utl32vVw6ab4fYq0rK06P+ja/cd06ee8LJjXhXzwPj1A15Bsr4u5GSdU8yJEz 89vQ==
X-Gm-Message-State: AODbwcB++yXaU1p4Y34fqg7v53zdOmRDlU/tljIif8hESgQd76XsIzlV AYJF4NH7NDfvxpEYHcHkdw==
X-Received: by 10.99.67.69 with SMTP id q66mr55371069pga.156.1497239900594; Sun, 11 Jun 2017 20:58:20 -0700 (PDT)
Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com. [209.85.192.179]) by smtp.gmail.com with ESMTPSA id u45sm21492836pgn.28.2017.06.11.20.58.19 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jun 2017 20:58:19 -0700 (PDT)
Received: by mail-pf0-f179.google.com with SMTP id 83so46864783pfr.0 for <oauth@ietf.org>; Sun, 11 Jun 2017 20:58:19 -0700 (PDT)
X-Received: by 10.99.49.206 with SMTP id x197mr54780986pgx.181.1497239899529; Sun, 11 Jun 2017 20:58:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.185.67 with HTTP; Sun, 11 Jun 2017 20:58:19 -0700 (PDT)
In-Reply-To: <a496c372-b700-c6ad-06e7-c257c10d5986@redhat.com>
References: <a496c372-b700-c6ad-06e7-c257c10d5986@redhat.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Sun, 11 Jun 2017 20:58:19 -0700
X-Gmail-Original-Message-ID: <CAGBSGjoarSVOEdqjPJXL6BfuACnZeks4LEyBpaMSb+TQ_WFNFw@mail.gmail.com>
Message-ID: <CAGBSGjoarSVOEdqjPJXL6BfuACnZeks4LEyBpaMSb+TQ_WFNFw@mail.gmail.com>
To: Bill Burke <bburke@redhat.com>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c115d705aedd70551bb54a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YkJdlUcSphw7PaJrat1ADOYQS7I>
Subject: Re: [OAUTH-WG] oauth with command line clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2017 03:58:23 -0000

I've seen this done a few ways:

* The Device Flow: https://tools.ietf.org/html/draft-ietf-oauth-device-flow
which is what you see on browserless devices like the Apple TV logging in
to a cable provider from your phone. A short code is generated and
displayed on the screen, you launch a browser on your phone and enter the
code. This would work just as well from the command line on the same device.
* I've also seen apps use the authorization flow, by displaying the
authorization URL on the command line prompt and instructing the user to
open it in a browser. The redirect URI is a hosted web page that displays
the authorization code and instructs the user to paste it back at the
terminal.
* The command line app can launch an HTTP server on localhost and use that
as the redirect URL for the authorization code flow. This option ends up
being the most seamless since it works like a traditional flow without any
special instructions to the user.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>


On Sun, Jun 11, 2017 at 8:52 PM, Bill Burke <bburke@redhat.com>; wrote:

> Has anybody done any spec work around doing oauth from command line
> interfaces?  We're looking for something where the auth server can generate
> text-based challenges that are rendered in the console window that query
> for simple text input over possibly multiple requests.  I'm not talking
> about Resource Owner or Client Credentials grant.  The command line client
> may not know the credential types required for a successful token request.
> It would be easy to write a simple protocol, but I'd rather just do
> something around any existing internet draft or rfc that somebody has put
> some thought into.  Hope I'm making sense here.
>
> Thanks,
>
> Bill Burke
>
> Red Hat
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>