Re: [OAUTH-WG] User-Agent flow and refresh tokens
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 21 September 2010 07:42 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DB4D3A692A for <oauth@core3.amsl.com>; Tue, 21 Sep 2010 00:42:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.433
X-Spam-Level:
X-Spam-Status: No, score=-1.433 tagged_above=-999 required=5 tests=[AWL=0.816, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tVamtukZG3jI for <oauth@core3.amsl.com>; Tue, 21 Sep 2010 00:42:26 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by core3.amsl.com (Postfix) with ESMTP id F040A3A67FA for <oauth@ietf.org>; Tue, 21 Sep 2010 00:42:25 -0700 (PDT)
Received: from [80.187.151.78] (helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OxxV1-0008EX-Mv; Tue, 21 Sep 2010 09:42:47 +0200
Message-ID: <4C9861F0.4070500@lodderstedt.net>
Date: Tue, 21 Sep 2010 09:42:40 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: Luke Shepard <lshepard@facebook.com>
References: <4C913EE3.90704@lodderstedt.net> <AANLkTikJGDUKCfiPiN_rAVXmbPF0SBN_sKNQFHw6-oqj@mail.gmail.com> <AANLkTime0dayBq1k+ee7xNp3pkBE2-Ltn-i=LNh0-XvB@mail.gmail.com> <0B18D334-441B-48C0-8836-8F285404B53F@lodderstedt.net> <AANLkTimL1TL57iJ5MOJTcEmog5e-9vjZNCOAyKLS4Dt1@mail.gmail.com> <6A068F15-5B15-444E-AAC3-354EFB866A4A@lodderstedt.net> <AANLkTi=KpHx0+k+Lu=0ykDVYUpvd2cWmbBFMeRMwp2uj@mail.gmail.com> <4C961E36.1090506@lodderstedt.net> <AANLkTinpgRLXVy4r8w2OSLrh=usnHwXqCG_=P-JDjHbK@mail.gmail.com> <37E6A7D2-000F-40A1-87A7-0C419C406A6E@facebook.com>
In-Reply-To: <37E6A7D2-000F-40A1-87A7-0C419C406A6E@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] User-Agent flow and refresh tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Sep 2010 07:42:27 -0000
Am 20.09.2010 07:34, schrieb Luke Shepard: >> Yes, Facebook is recommending the User-Agent flow for desktop >> > applications. This works for them because access tokens issued by >> > Facebook are not short lived, I don't think they expire. The desktop >> > app does not need a refresh token. >> > >> > If the authz server is issuing short lived access tokens and also >> > refresh tokens then the user-agent profile does not work so well >> > anymore. As far as I can tell in this case there is no reason to use >> > this profile with desktop apps, just use the web server profile. >> > > That's true. Although code_and_token is intended to solve that - you get the access token in the response, and then you can use the code to exchange for a refresh token on the server side if you need longer term access. There's no reason for a user agent to ever have a refresh token (since the performance optimization doesn't make sense when you are refreshing after an expiration period) > Sorry for being persistent, but I want to understand what the benefit of the user agent flow is. I'm assuming their is a benefit beyond supporting JavaScript clients. But this benefit is not really transparent to me. And by the way, that was one of the questions raised (and not completely answered) at IETF 78. In my understanding of all the discussions on the list, the major difference to the web server flow is that the client does not need to have an active server side in order to obtain tokens, just a static responder page. Tokens are directly transfered on the (HTTPS protected) direct communication link to the authorization server, which also result in performance and load optimizations. Why doesn't it make sense to obtain refresh tokens that way while it make sense to issue long-living access tokens? Would you please comment? regards, Torsten.
- [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Andrew Arnott
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Kris Selden
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Marius Scurtescu
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Luke Shepard
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Kris Selden
- Re: [OAUTH-WG] User-Agent flow and refresh tokens Torsten Lodderstedt