Re: [OAUTH-WG] Combining the Native application and User-agent flows
Evan Gilbert <uidude@google.com> Fri, 23 April 2010 17:17 UTC
Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8ED2E3A6829 for <oauth@core3.amsl.com>; Fri, 23 Apr 2010 10:17:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.588
X-Spam-Level:
X-Spam-Status: No, score=-100.588 tagged_above=-999 required=5 tests=[AWL=-1.212, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6U9HMFk+yfdy for <oauth@core3.amsl.com>; Fri, 23 Apr 2010 10:16:53 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id AEB4A3A67AB for <oauth@ietf.org>; Fri, 23 Apr 2010 10:16:48 -0700 (PDT)
Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id o3NHGa4q013697 for <oauth@ietf.org>; Fri, 23 Apr 2010 19:16:37 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1272042997; bh=kYd+6hbrSNA3vNkPef6k9Z6Wucs=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=n40HRhNyv2Zame/4D5bTD15el7wuDNBFkV13qyFplShysrSUKIJg0/5GHI1Tw5Nm1 5jlLk18fYxv0JQSGLIHEg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=hXBcFbdzuuBMqZOMzvO7TvOjqQaiFyrPxYTtlI2WGYv0v6URJmRoOGmPLO47kveti cdNrBFwpKG3VBW9k6j99Q==
Received: from vws18 (vws18.prod.google.com [10.241.21.146]) by wpaz21.hot.corp.google.com with ESMTP id o3NHGZYt016751 for <oauth@ietf.org>; Fri, 23 Apr 2010 10:16:35 -0700
Received: by vws18 with SMTP id 18so733341vws.32 for <oauth@ietf.org>; Fri, 23 Apr 2010 10:16:35 -0700 (PDT)
Received: by 10.229.81.81 with SMTP id w17mr437642qck.4.1272042995251; Fri, 23 Apr 2010 10:16:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.16.135 with HTTP; Fri, 23 Apr 2010 10:16:15 -0700 (PDT)
In-Reply-To: <C7EE7463.3245B%eran@hueniverse.com>
References: <z2ic8689b661004161800t7881fe6cq6848b1c5e8f1f4b5@mail.gmail.com> <C7EE7463.3245B%eran@hueniverse.com>
From: Evan Gilbert <uidude@google.com>
Date: Fri, 23 Apr 2010 10:16:15 -0700
Message-ID: <q2kc8689b661004231016gc28d591aw3cf1f38657c2d152@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="00163646d6a2def9360484ea9644"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Combining the Native application and User-agent flows
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2010 17:17:17 -0000
On Fri, Apr 16, 2010 at 8:09 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote: > > > > On 4/16/10 6:00 PM, "Evan Gilbert" <uidude@google.com> wrote: > > > - Add text to the spec to give overview of options for native app > developers > > I need a proposal. > Here's a proposal for text to cover the options for native applications *3.8 Native Applications* Applications running in an operating system that have the ability to launch or embed a web browser can use any of the User Delegation flows or the End User Credentials flow to get an access token for the user. Some options for native applications: - Launch an external browser and have it redirect back to your app using a custom URI scheme. This works with the Web Server flow and User Agent flow. - Launch an external browser & poll for changes to the window title. This works with the Web Server flow with a custom redirect result page that puts the verification code in the title. - Use an embedded browser and read the redirect URL. This works with the Web Server flow and User Agent flow. - Use the Device profile with either an external or embedded browser. The application will open a browser and then poll the authorization server for results. - Use the Username and Password Flow and prompt the user for their credentials. This is generally discouraged as it hands the user's password directly to the 3rd party and may not work with more complex authentication schemes. Factors in choosing between launching an external browser and an embedded browser: - External browser may improve completion rate as the user may already be logged in and not have to re-enter username and password. - Embedded browser often has a better user flow, as you don't have to switch contexts and open a new window. - Embedded browser is less secure because users are entering their password in a screen within a target app. > > EHL > >
- [OAUTH-WG] Combining the Native application and U… Luke Shepard
- Re: [OAUTH-WG] Combining the Native application a… Luke Shepard
- Re: [OAUTH-WG] Combining the Native application a… Chuck Mortimore
- Re: [OAUTH-WG] Combining the Native application a… Marius Scurtescu
- Re: [OAUTH-WG] Combining the Native application a… Chuck Mortimore
- Re: [OAUTH-WG] Combining the Native application a… Marius Scurtescu
- Re: [OAUTH-WG] Combining the Native application a… Chuck Mortimore
- Re: [OAUTH-WG] Combining the Native application a… Luke Shepard
- Re: [OAUTH-WG] Combining the Native application a… Luke Shepard
- Re: [OAUTH-WG] Combining the Native application a… Allen Tom
- Re: [OAUTH-WG] Combining the Native application a… Marius Scurtescu
- Re: [OAUTH-WG] Combining the Native application a… Marius Scurtescu
- Re: [OAUTH-WG] Combining the Native application a… Marius Scurtescu
- Re: [OAUTH-WG] Combining the Native application a… Chuck Mortimore
- Re: [OAUTH-WG] Combining the Native application a… Brian Eaton
- Re: [OAUTH-WG] Combining the Native application a… Brian Eaton
- Re: [OAUTH-WG] Combining the Native application a… Eran Hammer-Lahav
- Re: [OAUTH-WG] Combining the Native application a… Eran Hammer-Lahav
- Re: [OAUTH-WG] Combining the Native application a… Mark Mcgloin
- Re: [OAUTH-WG] Combining the Native application a… Marius Scurtescu
- Re: [OAUTH-WG] Combining the Native application a… Mark Mcgloin
- Re: [OAUTH-WG] Combining the Native application a… Evan Gilbert
- Re: [OAUTH-WG] Combining the Native application a… Eran Hammer-Lahav
- Re: [OAUTH-WG] Combining the Native application a… Evan Gilbert