IETF Logo Mail Archive

Re: [OAUTH-WG] Draft -12 feedback deadline

Justin Richer <jricher@mitre.org> Wed, 16 February 2011 20:20 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6601F3A6CE3 for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 12:20:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RuxD2aMDBIfs for <oauth@core3.amsl.com>; Wed, 16 Feb 2011 12:20:06 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by core3.amsl.com (Postfix) with ESMTP id 0B83A3A6C32 for <oauth@ietf.org>; Wed, 16 Feb 2011 12:20:05 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 6B97A21B06C3 for <oauth@ietf.org>; Wed, 16 Feb 2011 15:20:34 -0500 (EST)
Received: from imchub2.MITRE.ORG (imchub2.mitre.org [129.83.29.74]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 66B3421B0047 for <oauth@ietf.org>; Wed, 16 Feb 2011 15:20:34 -0500 (EST)
Received: from [129.83.50.1] (129.83.50.1) by imchub2.MITRE.ORG (129.83.29.74) with Microsoft SMTP Server (TLS) id 8.2.254.0; Wed, 16 Feb 2011 15:20:33 -0500
Message-ID: <4D5C3192.5020508@mitre.org>
Date: Wed, 16 Feb 2011 15:20:34 -0500
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <90C41DD21FB7C64BB94121FBBC2E723445A8D6254D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTinMjQW26mLkoN7oMdLWLGAHp0_O9LbVi13RpMJB@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3EE9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTimjWkO8o+z+P=AKpyYkSjTh6oS7uM9N0JwR_vR6@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723445A91D3F44@P3PW5EX1MB01.EX1.SECURESERVER.NET> <AANLkTi=tvwsR=_EhPRkYEwC+ERwRCNN2aAWDqRDvwx8B@mail.gmail.com> <FFDFD7371D517847AD71FBB08F9A315638493F514F@SP2-EX07VS06.ds.corp.yahoo.com> <AANLkTimxhoK1vt8HwSF9dvu4Z5xjqrLLb2SULj9pp=9b@mail.gmail.com> <AANLkTi=DtgpWNyEKBg=0GhOWuqSvzF5q0SJQgfZNRm8M@mail.gmail.com>
In-Reply-To: <AANLkTi=DtgpWNyEKBg=0GhOWuqSvzF5q0SJQgfZNRm8M@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Draft -12 feedback deadline
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 20:20:08 -0000

The implicit grant still requires a redirect of some kind, so many 
native apps can just as easily use the web server flow as the implicit 
flow. I personally don't see how the implicit flow is better suited than 
the web flow in this case. However, neither of these are ideally suited 
for native apps without a few tricks, which is the native apps extension 
that Marius is working on, to get the token back to the native app. From 
what I can see, the real question here is dealing with cases where a 
redirect doesn't actually make any sense. In those cases, I'd rather see 
a separate flow profiled end to end than to have hacks like the 
"uri:oob" put in place to patch it into an existing spot.

  -- Justin

On 2/16/2011 3:07 PM, Brian Campbell wrote:
> Exactly Marius, and in most cases the app will want to procure a
> refresh token as a result of the dance so it won't have to put the
> user though the authorization process again and again.  Unless I'm
> mistaken, the implicit grant provides no means of obtaining a refresh
> token (http://tools.ietf.org/html/draft-ietf-oauth-v2-13#section-4.2.2)
>   So unless the access tokens themselves are extremely long lived, the
> implicit grant flow doesn't seem very useful to native clients.
>
> I've heard a number of people suggest the native client ->  implicit
> grant thing but it doesn't make sense to me.  Is there something I'm
> not seeing?
>
> On Wed, Feb 16, 2011 at 12:14 PM, Marius Scurtescu
> <mscurtescu@google.com>  wrote:
>> On Wed, Feb 16, 2011 at 11:06 AM, William Mills<wmills@yahoo-inc.com>  wrote:
>>> Token endpoint with username/password credential doesn't solve this?  Depends on the auth scheme of course, but Bearer should provide a solution?
>> Not at all, in most case native apps must use the browser based 3-legged dance.
>>
>> Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.39.1 | Report a Bug | By Email | System Status