IETF Logo Mail Archive

Re: [OAUTH-WG] native app support (was: Next draft)

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 09 June 2010 07:42 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85AB828C0D9 for <oauth@core3.amsl.com>; Wed, 9 Jun 2010 00:42:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.042
X-Spam-Level:
X-Spam-Status: No, score=-1.042 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2blbzbE53ZaB for <oauth@core3.amsl.com>; Wed, 9 Jun 2010 00:42:37 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.27]) by core3.amsl.com (Postfix) with ESMTP id 426203A6916 for <oauth@ietf.org>; Wed, 9 Jun 2010 00:42:36 -0700 (PDT)
Received: from p4fff1dc2.dip.t-dialin.net ([79.255.29.194] helo=[127.0.0.1]) by smtprelay04.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1OMFvp-0000VG-62; Wed, 09 Jun 2010 09:42:37 +0200
Message-ID: <4C0F45EC.4050707@lodderstedt.net>
Date: Wed, 09 Jun 2010 09:42:36 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Marius Scurtescu <mscurtescu@google.com>
References: <AANLkTikkG3T_DYKhjMbyYayi7SzZel3RJXFSguxq7SSZ@mail.gmail.com>
In-Reply-To: <AANLkTikkG3T_DYKhjMbyYayi7SzZel3RJXFSguxq7SSZ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] native app support (was: Next draft)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2010 07:42:38 -0000

1) +1
2) +1 - Oauth 1.0a had "oob", why not for that purpose
3) I would rather add the user_code as optional URL parameter to the 
device flow.
4) What about an additional best practices document?

regards,
Torsten.

Am 08.06.2010 19:46, schrieb Marius Scurtescu:
> In order to properly support native applications I suggest the
> following changes:
>
> 1. client_name
>
> In all flows when client_id is sent also allow for an optional
> client_name. This optional parameter is meant as a display name for
> the client, and it is useful in all unregistered cases, not only for
> native apps.
>
> If the client is unregistered then most likely the authz server will
> require that client_id be set to a predefined value like "anonymous".
> The approval page does need a client name so it can tell the user who
> it is granting access for.
>
>
> 2. optional redirect_uri (default result page)
>
> Some native apps do not have a redirect_uri, as a result two things are needed:
>
> 2.1 Either make redirect_uri optional or define a standard value that
> signals that the client does not have such a page.
>
> 2.2 The authz server must supply a default result page, if there is no
> redirect_uri. Also, this page should put the verification code and the
> client state (code and state) in the page title in a standard way such
> that the native app can extract them from the window title. WRAP
> defined how the title should be formed.
>
>
> 3. device flow should be able to start user-agent
>
> The device flow can be used by native apps in which case there is a
> browser on the device. This flow should be able to start a browser and
> directly take the user to the end-user verification URI with the user
> code added as a query parameter (so the user is not required to do any
> manual entry). This is sort of possible right now, but the handler
> behind verification_uri must expect an optional user_code (in which
> case it should not prompt the user).
>
>
> 4. section with guidance for native apps
>
> I think the spec needs a section that explains how native apps can be
> used with OAuth 2. Not sure if it is worth getting into pros and cons
> for each flow, but all flows can be used.
>
>
> Marius
>
>
>
> On Mon, Jun 7, 2010 at 8:44 AM, Eran Hammer-Lahav<eran@hueniverse.com>  wrote:
>    
>> I still need to catch up on the list (I took a little break). I plan to post a new draft this week incorporating many editorial changes discussed at the interim meeting. I am also planning of removing some non-stable features (such as discovery and signatures) from the draft and moving them to new drafts. As soon as -06 is published, I plan to issue informal last-calls for each section so that we can lock down the normative portions of the draft.
>>
>> If you have any must-happen changes for -05 that were not already posted to the list, please let me know.
>>
>> EHL
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>      
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email