IETF Logo Mail Archive

Re: [OAUTH-WG] user-agent flow needs a rewrite

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 13 July 2010 22:00 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34C123A69E5 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 15:00:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.466
X-Spam-Level:
X-Spam-Status: No, score=-2.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vj7Q8lMv9nb3 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 15:00:33 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id 4E56E3A69C3 for <oauth@ietf.org>; Tue, 13 Jul 2010 15:00:33 -0700 (PDT)
Received: (qmail 10647 invoked from network); 13 Jul 2010 22:00:41 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 13 Jul 2010 22:00:41 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 13 Jul 2010 15:00:42 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Naitik Shah <n@daaku.org>
Date: Tue, 13 Jul 2010 15:00:39 -0700
Thread-Topic: [OAUTH-WG] user-agent flow needs a rewrite
Thread-Index: Acsi0lBfPvcSgCPlQgi6FSh1zO2JwgABIPr+
Message-ID: <C8623017.37208%eran@hueniverse.com>
In-Reply-To: <AANLkTin98uuCmGfr-X0A7JrN1LfUwKlb2RF3FYhJTDev@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 22:00:34 -0000

This is clearly a third flow - hybrid (of user-agent and web-server) - and
not just a variant of the user-agent flow. It should be presented with its
own flow diagram and description. I also think the user-agent and web-server
flow names are misleading. They need to be replaced with more descriptive
names. Something like (I don¹t like these, just trying to demonstrate):

Web-server --> 2 step flow (get code, get token)
User-agent --> direct flow (get token)
Hybrid --> hybrid flow (get code and token, get token)

In an attempt to accommodate Brian's request for more concentrated flow
descriptions, I am working on coming up with come middle ground between -05
and -10.

----

As for the specification of the end-user authorization endpoint:

Please answer this based on actual use cases. When returning parameters
using the redirection URI call, which of these combinations make sense?

         | Code | Token | Code & Token
---------+------+-------+--------------
Fragment |  a   |   1   |   3
Query    |  2   |   b   |   c
Split*   | n/a  |  n/a  |   d

* token in fragment, code in query

Known use cases:

1 - current user-agent flow
2 - current web-server flow
3 - as described by Brian and Naitik

Questionable use cases:

a - 
b -
c - 
d - current -10 code-and-token proposal

EHL


On 7/13/10 2:27 PM, "Naitik Shah" <n@daaku.org> wrote:

> On Tue, Jul 13, 2010 at 2:06 PM, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
>> This looks reasonable, however, I am no longer see the value in the hybrid
>> mode of token and code. If the code is passed in the fragment, the client has
>> to pass it to the server. If that is the case, why can¹t the server reply
>> back with the access token? Is the entire purpose just a performance
>> optimization so the client doesn¹t have to wait for the server response
>> before it has an access token?
>> 
> 
> I think there are two use cases here, and they are not mutually exclusive.
> Some apps are mostly just server side, and would end up doing a full page
> refresh, and here the code in the query param would probably be acceptable.
> Some apps are mostly just client side, and here the code is irrelevant and the
> access token in the fragment is all that matters. But we also have hybrids
> where we want the code in a cookie/JS callback, and we'll also use the access
> token on the client to dynamically update the UI by accessing some protected
> data (this is what the Data enabled XFBML tags do in the Facebook JS SDK for
> instance). While the server can do the code to access_token exchange, it can't
> return it to the JS safely if it does not support https. Even if it did, it
> would mean more overhead for the developer to build an endpoint that does this
> work and cooperates with a JS SDK which wants the access_token for making API
> calls.
> 
> 
> -Naitik
> 
>

v2.35.0 | Report a Bug | By Email | System Status