IETF Logo Mail Archive

Re: [OAUTH-WG] Combining the Native application and User-agent flows

Evan Gilbert <uidude@google.com> Fri, 23 April 2010 17:17 UTC

Return-Path: <uidude@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8ED2E3A6829 for <oauth@core3.amsl.com>; Fri, 23 Apr 2010 10:17:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.588
X-Spam-Level:
X-Spam-Status: No, score=-100.588 tagged_above=-999 required=5 tests=[AWL=-1.212, BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6U9HMFk+yfdy for <oauth@core3.amsl.com>; Fri, 23 Apr 2010 10:16:53 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id AEB4A3A67AB for <oauth@ietf.org>; Fri, 23 Apr 2010 10:16:48 -0700 (PDT)
Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id o3NHGa4q013697 for <oauth@ietf.org>; Fri, 23 Apr 2010 19:16:37 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1272042997; bh=kYd+6hbrSNA3vNkPef6k9Z6Wucs=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=n40HRhNyv2Zame/4D5bTD15el7wuDNBFkV13qyFplShysrSUKIJg0/5GHI1Tw5Nm1 5jlLk18fYxv0JQSGLIHEg==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=hXBcFbdzuuBMqZOMzvO7TvOjqQaiFyrPxYTtlI2WGYv0v6URJmRoOGmPLO47kveti cdNrBFwpKG3VBW9k6j99Q==
Received: from vws18 (vws18.prod.google.com [10.241.21.146]) by wpaz21.hot.corp.google.com with ESMTP id o3NHGZYt016751 for <oauth@ietf.org>; Fri, 23 Apr 2010 10:16:35 -0700
Received: by vws18 with SMTP id 18so733341vws.32 for <oauth@ietf.org>; Fri, 23 Apr 2010 10:16:35 -0700 (PDT)
Received: by 10.229.81.81 with SMTP id w17mr437642qck.4.1272042995251; Fri, 23 Apr 2010 10:16:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.16.135 with HTTP; Fri, 23 Apr 2010 10:16:15 -0700 (PDT)
In-Reply-To: <C7EE7463.3245B%eran@hueniverse.com>
References: <z2ic8689b661004161800t7881fe6cq6848b1c5e8f1f4b5@mail.gmail.com> <C7EE7463.3245B%eran@hueniverse.com>
From: Evan Gilbert <uidude@google.com>
Date: Fri, 23 Apr 2010 10:16:15 -0700
Message-ID: <q2kc8689b661004231016gc28d591aw3cf1f38657c2d152@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="00163646d6a2def9360484ea9644"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Combining the Native application and User-agent flows
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2010 17:17:17 -0000

On Fri, Apr 16, 2010 at 8:09 PM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

>
>
>
> On 4/16/10 6:00 PM, "Evan Gilbert" <uidude@google.com> wrote:
>
> > - Add text to the spec to give overview of options for native app
> developers
>
> I need a proposal.
>

Here's a proposal for text to cover the options for native applications

*3.8 Native Applications*
Applications running in an operating system that have the ability to launch
or embed a web browser can use any of the User Delegation flows or the End
User Credentials flow to get an access token for the user.

Some options for native applications:

   - Launch an external browser and have it redirect back to your app using
   a custom URI scheme. This works with the Web Server flow and User Agent
   flow.
   - Launch an external browser & poll for changes to the window title. This
   works with the Web Server flow with a custom redirect result page that puts
   the verification code in the title.
   - Use an embedded browser and read the redirect URL. This works with the
   Web Server flow and User Agent flow.
   - Use the Device profile with either an external or embedded browser. The
   application will open a browser and then poll the authorization server for
   results.
   - Use the Username and Password Flow and prompt the user for their
   credentials. This is generally discouraged as it hands the user's password
   directly to the 3rd party and may not work with more complex authentication
   schemes.

Factors in choosing between launching an external browser and an embedded
browser:

   - External browser may improve completion rate as the user may already be
   logged in and not have to re-enter username and password.
   - Embedded browser often has a better user flow, as you don't have to
   switch contexts and open a new window.
   - Embedded browser is less secure because users are entering their
   password in a screen within a target app.



>
> EHL
>
>

v2.23.0 | Report a Bug | By Email