Re: [OAUTH-WG] Assertion flow: please add optional refresh_token in response
Dick Hardt <dick.hardt@gmail.com> Tue, 15 June 2010 06:07 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A5D5B3A67E5 for <oauth@core3.amsl.com>; Mon, 14 Jun 2010 23:07:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.288
X-Spam-Level:
X-Spam-Status: No, score=-2.288 tagged_above=-999 required=5 tests=[AWL=0.311, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XN0MpZNI-jpX for <oauth@core3.amsl.com>; Mon, 14 Jun 2010 23:07:02 -0700 (PDT)
Received: from mail-px0-f172.google.com (mail-px0-f172.google.com [209.85.212.172]) by core3.amsl.com (Postfix) with ESMTP id 7C6EE3A6862 for <oauth@ietf.org>; Mon, 14 Jun 2010 23:07:02 -0700 (PDT)
Received: by pxi5 with SMTP id 5so1112288pxi.31 for <oauth@ietf.org>; Mon, 14 Jun 2010 23:07:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=mDj/+QxL4nsqjnMAQm2e7pgqKZ/W89lFnhDcgqA9PEs=; b=wKm9LCKh3kO8e3Cirep9hLVOJtO+G0D4wGblPEjxAeirCBApaonVDiVmg80hP06uf0 SsgOK2ym5wPLOSaWQp2VbsmFBJlG/Via1s9cQA9n+ZE8rJR8X9JraVl4CwkvqMXcbYda W4oYZkhlHHraOBiwGCUKJtqM4ahQowULyMMJE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=mxDd0by3pz9M+O284joPsfKUvrYDzw24esTjfGiDDuFbUaUDahom+6Zl6DtNmcXfj2 ha6p7QwsiaiFd3OPjlTV927yeII9D2A4XjRd8sV2j9ZPvwgbQX922lqrXVUdMvOEeBLP rmrk1+VziVs2BR4EZCmkarTj/JLraQev/KvUs=
Received: by 10.140.180.20 with SMTP id c20mr5376446rvf.76.1276581619574; Mon, 14 Jun 2010 23:00:19 -0700 (PDT)
Received: from [192.168.1.5] (c-24-130-32-55.hsd1.ca.comcast.net [24.130.32.55]) by mx.google.com with ESMTPS id o38sm5475097rvp.2.2010.06.14.23.00.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 14 Jun 2010 23:00:18 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <AANLkTimkNRuv_iiVFupLf4YQ0aYOEH3giuyzD7DM3ip-@mail.gmail.com>
Date: Mon, 14 Jun 2010 23:00:16 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <7F00C2CF-E57F-4341-BBA4-7B03B69277D6@gmail.com>
References: <AANLkTil1viRqVgwJzmq7N1W21TPeT5RuclBF5DmPvVVM@mail.gmail.com> <AANLkTimkNRuv_iiVFupLf4YQ0aYOEH3giuyzD7DM3ip-@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
X-Mailer: Apple Mail (2.1078)
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Assertion flow: please add optional refresh_token in response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 06:07:03 -0000
+1 On 2010-06-14, at 9:02 PM, Brian Eaton wrote: > On Mon, Jun 14, 2010 at 8:31 PM, Andrew Arnott <andrewarnott@gmail.com> wrote: >> For an application I'm building, the installed client app will have >> intermittent windows of time where it can obtain a (non-OAuth) assertion for >> user identity. During this time, it seems appropriate for it to use the >> assertion flow to obtain an OAuth authorization so that it can impersonate >> the user. So far this is just standard Assertion Flow stuff. But without a >> refresh_token, the app will break when the access token expires if the app >> doesn't have the ability at the moment (due to not being on the corporate >> network at the moment for example) to obtain a new assertion. Since the >> security model for this app would certainly allow for a refresh_token to be >> issued from the original OAuth authorization server exchange, this would >> solve it, if the spec didn't specifically ban such a parameter. > > I think this is a different use case than the one envisioned by most > people who are using the assertion flow. > > I'm inclined to steer different use cases to different profiles. It > makes it much easier to guide deployments, for example. > > Cheers, > Brian > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Assertion flow: please add optiona… Brian Eaton
- [OAUTH-WG] Assertion flow: please add optional re… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… Eran Hammer-Lahav
- Re: [OAUTH-WG] Assertion flow: please add optiona… Dick Hardt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… Dick Hardt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Dick Hardt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Andrew Arnott
- Re: [OAUTH-WG] Assertion flow: please add optiona… George Fletcher
- Re: [OAUTH-WG] Assertion flow: please add optiona… Torsten Lodderstedt
- Re: [OAUTH-WG] Assertion flow: please add optiona… Brian Eaton
- Re: [OAUTH-WG] Assertion flow: please add optiona… Torsten Lodderstedt