Re: [OAUTH-WG] Device Profile
"Shafi, Saleem" <mshafi@paypal.com> Tue, 16 March 2010 19:19 UTC
Return-Path: <mshafi@paypal.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79EDD3A67A6 for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 12:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.899
X-Spam-Level:
X-Spam-Status: No, score=-13.899 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, RCVD_IN_DNSWL_MED=-4, SARE_FORGED_PAYPAL_C=1.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wjuTWLAEbeGl for <oauth@core3.amsl.com>; Tue, 16 Mar 2010 12:19:42 -0700 (PDT)
Received: from rhv-mipot-001.corp.ebay.com (rhv-mipot-001.corp.ebay.com [216.33.244.6]) by core3.amsl.com (Postfix) with ESMTP id 514D63A6886 for <oauth@ietf.org>; Tue, 16 Mar 2010 12:19:41 -0700 (PDT)
DomainKey-Signature: s=ppcorp; d=paypal.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:Date: Subject:Thread-Topic:Thread-Index:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=S7OxptAwVVLIcE2dpHcz7C+v6CW3TYnAMnso2rbed69l+vlJSUTZeZF7 J/ic6eHc9bLM3R9aEAp1rSA7ga0iqrsIDtW0dJMCqnDMgyKWuZmBd+/FM ZWubc3qaFwwsVkT;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal.com; i=mshafi@paypal.com; q=dns/txt; s=ppcorp; t=1268767190; x=1300303190; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Shafi,=20Saleem"=20<mshafi@paypal.com>|Subject: =20RE:=20Device=20Profile|Date:=20Tue,=2016=20Mar=202010 =2012:19:48=20-0700|Message-ID:=20<854035E628BF9B4C9688EB 1400DAAC72BD3CA160@RHV-MEXMS-002.corp.ebay.com>|To:=20Bre nt=20Goldman=20<brent@facebook.com>,=20"OAuth=20WG=20(oau th@ietf.org)"=0D=0A=09<oauth@ietf.org>|MIME-Version:=201. 0|Content-Transfer-Encoding:=20quoted-printable |In-Reply-To:=20<4603A1CF-ED1B-4CE3-8EEE-53599B2E177A@fac ebook.com>|References:=20<4603A1CF-ED1B-4CE3-8EEE-53599B2 E177A@facebook.com>; bh=wDJ2jOb1I8VfLQrnNrk5j3anMohpzTeCxOwpr2SfikY=; b=DMQheBdYpx2z6FplknQN5LF21xQBy59nivnIc21pkmnOgSf/NFDLrTti dSfisvHa74+ZV0ahyf/LQZd1r3Ckf0LZDjznpPN67MqB6Q/IwPyr3pnV+ nKlhfBXJwrp0c9q;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.49,651,1262592000"; d="scan'208";a="55370460"
Received: from rhv-vtenf-001.corp.ebay.com (HELO RHV-MEXHT-003.corp.ebay.com) ([10.112.113.52]) by rhv-mipot-001.corp.ebay.com with ESMTP; 16 Mar 2010 12:19:50 -0700
Received: from RHV-MEXMS-002.corp.ebay.com ([10.245.17.115]) by RHV-MEXHT-003.corp.ebay.com ([10.245.24.102]) with mapi; Tue, 16 Mar 2010 12:19:50 -0700
From: "Shafi, Saleem" <mshafi@paypal.com>
To: Brent Goldman <brent@facebook.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Date: Tue, 16 Mar 2010 12:19:48 -0700
Thread-Topic: Device Profile
Thread-Index: AcrBBY9CyqPQQpiETL2yGqJ87nEJnwEN0g6Q
Message-ID: <854035E628BF9B4C9688EB1400DAAC72BD3CA160@RHV-MEXMS-002.corp.ebay.com>
References: <4603A1CF-ED1B-4CE3-8EEE-53599B2E177A@facebook.com>
In-Reply-To: <4603A1CF-ED1B-4CE3-8EEE-53599B2E177A@facebook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: zs9uLAKa7KF/n4pZ9zPqWA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Subject: Re: [OAUTH-WG] Device Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 19:19:44 -0000
Hello.. Is there any interest in being able to respond with multiple oauth_verification_url values? I can forsee the possibility of the Authorization Server being able to support browser-based user verification (http/https) or text messages (assuming we could authenticate the user on sending the SMS).. Letting the authorization server return multiple URLs could give the client/user more options.. Also, would there be room in this profile for a scenario where the user verification code isn't returned to the client, but rather sent to the user directly? If the initial request that the client makes includes some identifier for the user and the authorization server has contact information for that user, could the AS inform the user (via email, sms, IVR, etc) of a one-time user code that they would enter into the device*? It's sort of the reverse model, but it should still establish a connection between the device, AS and user.. This profile might make sense where the device has very simple data entry options and the user might not be near a browser-capable device.. Saleem. *Eve points out that this is somewhat simliar to the verification_code addition in the Oauth 1.0a spec to protect against session-fixation attacks (http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/), especially the way it's communicated in WRAP's Rich App profile when the app in question can't be contacted by the AS with a URL.. -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Brent Goldman Sent: Thursday, March 11, 2010 4:28 AM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] Device Profile Over the past couple days, Luke Shepard, David Recordon, and I have been brainstorming an OAuth profile for standardizing the flow that devices such as game consoles and entertainment centers use to hook up with services such as Netflix and iTunes. The basic flow is that a device can gain authorization by directing the user to visit a URL on their computer and to enter a verification code copied from the device's screen. A draft spec is attached to this email. Any thoughts or feedback? Note: this is one of the many profiles going into the OAuth 2.0 draft that David is writing (http://daveman692.livejournal.com/349384.html). -Brent
- [OAUTH-WG] Device Profile Brent Goldman
- Re: [OAUTH-WG] Device Profile Shafi, Saleem
- Re: [OAUTH-WG] Device Profile Brent Goldman
- Re: [OAUTH-WG] Device Profile Shafi, Saleem
- Re: [OAUTH-WG] Device Profile Brent Goldman
- Re: [OAUTH-WG] Device Profile Eric Sachs
- [OAUTH-WG] Device Profile Aiden Bell
- Re: [OAUTH-WG] Device Profile Marius Scurtescu