IETF Logo Mail Archive

Re: [OAUTH-WG] Device profile usage

Vincent Tsang <vincetsang@gmail.com> Sat, 01 June 2013 11:33 UTC

Return-Path: <vincetsang@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 008EB21F8689; Sat, 1 Jun 2013 04:33:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.569
X-Spam-Level: *
X-Spam-Status: No, score=1.569 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsuborGGd5+7; Sat, 1 Jun 2013 04:33:47 -0700 (PDT)
Received: from mail-pd0-f177.google.com (mail-pd0-f177.google.com [209.85.192.177]) by ietfa.amsl.com (Postfix) with ESMTP id A618D21F867B; Sat, 1 Jun 2013 04:33:47 -0700 (PDT)
Received: by mail-pd0-f177.google.com with SMTP id u11so3508800pdi.36 for <multiple recipients>; Sat, 01 Jun 2013 04:33:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pO+IT3TRto//Rx25H0rn0RD+CEH8njT0JWt8ohNnof4=; b=ACzWrXyNhJ4DpZvEgVvFpfor2Vh7RGpbfGvvy3Tjb0KayOBMIXkEyoetpHJ2n2KHpZ 8B1zo2bYaOB7xyRMB2egjtZoM3foH2tsNtaFJhyp2wFzlg+fBAxsZsZRrs8QjWgXBLfr I5kSWsIWlWRqljBvnmZvbaIkIosXfbA8iDdDBkVv1utKKvJm/a5wkTWTubvFc1KXbDs6 k8b+/roxcbdU1WoJijmRiWYfZVHW33yVlwMteZchzsn1FJZIGpWy2xGMG0pLK2MiGJko mzYfwE8HF7i6R9AkKOLjrQFLaxiztUQgCofHK4AUtVzXwFhRIV+sbT8bxzFXR0tJnvlU IqpA==
MIME-Version: 1.0
X-Received: by 10.68.191.36 with SMTP id gv4mr17222207pbc.67.1370086427291; Sat, 01 Jun 2013 04:33:47 -0700 (PDT)
Received: by 10.70.51.132 with HTTP; Sat, 1 Jun 2013 04:33:47 -0700 (PDT)
In-Reply-To: <OFF86999E0.8F266EE6-ON85257B7A.005F7345-85257B7A.005FEB39@us.ibm.com>
References: <CANZRnTUyz6wo_5ZfghicGpNEm_=+Aw1=ChdNPdTvKkZS4YApNw@mail.gmail.com> <E625D418-5F83-41EB-BF65-09DEDF003C14@gmx.net> <CANZRnTUS4+_37EtA3bJFDvjWOC=iFzGk1PLHutzx1ijp9kMS_g@mail.gmail.com> <-8470720313341818373@unknownmsgid> <CANZRnTUpyaV6Vd88wkSG_g5tb9QeVGM60czSrpqDdEcqczoXSg@mail.gmail.com> <OF35A0195E.6911A37A-ON85257B7A.0049A8A1-85257B7A.0049D9F2@us.ibm.com> <CANZRnTVcQdobaRSdNLQQR3CtLL_w=q=DLJTGdLe0Kp3-K6-q+w@mail.gmail.com> <OFF86999E0.8F266EE6-ON85257B7A.005F7345-85257B7A.005FEB39@us.ibm.com>
Date: Sat, 01 Jun 2013 19:33:47 +0800
Message-ID: <CANZRnTVYNDw3m2pJdFaC9hpDviSLQ5kAbczdJF+aN1B6iKVpKQ@mail.gmail.com>
From: Vincent Tsang <vincetsang@gmail.com>
To: Todd W Lainhart <lainhart@us.ibm.com>
Content-Type: multipart/alternative; boundary="e89a8ff1c418cf77ce04de161a06"
Cc: "oauth@ietf.org" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] Device profile usage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jun 2013 11:33:52 -0000

Thanks everyone for the helpful suggestions - special thanks to Justin for
the detailed description. I now agree the authorization code flow is
applicable to our use case and seems 6d in Justin's response is a good way
to go.

Cheers,
Vincent


On Thu, May 30, 2013 at 1:27 AM, Todd W Lainhart <lainhart@us.ibm.com>wrote:

> > The same user could run the app on multiple computers and I want to
> distinguish each running instance, so I think it's the app?
>
> I asked, because I wondered if the client credentials flow or the auth
> code flow was the more appropriate flow. It sounds like you want to
> identify both the client and the user, but it's unclear if it's required
> that the client authenticate.  Also, I can't tell from your use case if
> OAuth is the appropriate solution.
>
> If it is the right solution, Justin's response sounds like the way to go.
>
>  *
>
>
> Todd Lainhart
> Rational software
> IBM Corporation
> 550 King Street, Littleton, MA 01460-1250**
> 1-978-899-4705
> 2-276-4705 (T/L)
> lainhart@us.ibm.com*
>
>
>
>
> From:        Vincent Tsang <vincetsang@gmail.com>
> To:        Todd W Lainhart/Lexington/IBM@IBMUS,
> Cc:        "oauth@ietf.org" <oauth@ietf.org>, "oauth-bounces@ietf.org" <
> oauth-bounces@ietf.org>, Nat Sakimura <sakimura@gmail.com>
> Date:        05/29/2013 10:29 AM
> Subject:        Re: Device profile usage
> ------------------------------
>
>
>
> The same user could run the app on multiple computers and I want to
> distinguish each running instance, so I think it's the app?
>
> Thanks.
> Vincent
>
> On Wednesday, May 29, 2013, Todd W Lainhart wrote:
> On behalf of what will the access token be granted - the app (e.g. Word),
> or the user running the app?
>   *
>
>
> Todd Lainhart
> Rational software
> IBM Corporation
> 550 King Street, Littleton, MA 01460-1250**
> 1-978-899-4705
> 2-276-4705 (T/L)**
> **lainhart@us.ibm.com*
>
>
>
>
>
> From:        Vincent Tsang <*vincetsang@gmail.com*>
> To:        Nat Sakimura <*sakimura@gmail.com*>,
> Cc:        "*oauth@ietf.org*" <*oauth@ietf.org*>
> Date:        05/29/2013 12:31 AM
> Subject:        Re: [OAUTH-WG] Device profile usage
> Sent by:        *oauth-bounces@ietf.org*
>  ------------------------------
>
>
>
> The client is a native windows application, for instance, a document
> editor like MS Word.
> The editor can upload copies to the cloud (e.g. Amazon S3), then record
> the version history and notes associated with each cloud copy to our cloud
> service via our cloud application API (to be secured by OAuth access
> tokens).
> I think it's similar to the case with a media player application (like
> VLC/Windows Media Player) that sends playlist/history info to the cloud via
> some cloud application API.
> I'm just not sure which of the 4 scenarios described in the OAuth spec
> could fit in here...
>
> Thanks.
> Vincent
>
>
> On Wed, May 29, 2013 at 11:38 AM, Nat Sakimura <*sakimura@gmail.com*>
> wrote:
> A little more application and user context would help.
> A use case, so to speak.
>
> Nat
>
> 2013/05/29 12:04、Vincent Tsang <*vincetsang@gmail.com*> のメッセージ:
>
> > Hi Hannes,
> >
> > Thanks for your reply.
> > Actually I am new to OAuth and am simply trying to search for the best
> industrial practice for granting access tokens when the client to our
> application API is a simple windows applications, which in most cases runs
> on PC's with web browser installed.
> > Therefore the scenario doesn't quite match what is described in the
> document, as the user doesn't need a separate machine to perform the
> verification; it's just that the client application doesn't have internet
> browsing capability itself (in this sense it's similar to the "device"
> described in this document, though not quite) and so user needs to launch a
> separate browser application.
> > I ended up on this device profile spec just because it seems to match
> closer to our scenario when compared to the 4 cases described in the OAuth
> 2 spec, but it could be the case that I didn't understand it fully.
> > Maybe I should rephrase my question: could someone please advice what
> should be the best practice for granting OAuth tokens to clients which are
> native windows applications?
> >
> > Thanks.
> > Vincent
> >
> > _______________________________________________
> > OAuth mailing list
> > *OAuth@ietf.org*
> > *https://www.ietf.org/mailman/listinfo/oauth*<https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list*
> **OAuth@ietf.org**
> **https://www.ietf.org/mailman/listinfo/oauth*<https://www.ietf.org/mailman/listinfo/oauth>
>
>

v2.23.0 | Report a Bug | By Email