Re: [OAUTH-WG] oauth with command line clients
David Waite <david@alkaline-solutions.com> Mon, 12 June 2017 16:20 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8669129417 for <oauth@ietfa.amsl.com>; Mon, 12 Jun 2017 09:20:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uT-4G2Gf82ET for <oauth@ietfa.amsl.com>; Mon, 12 Jun 2017 09:20:38 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id 39C4E129408 for <oauth@ietf.org>; Mon, 12 Jun 2017 09:20:38 -0700 (PDT)
Received: from [IPv6:2601:282:281:3a11:2d1b:594c:1f79:966b] (unknown [IPv6:2601:282:281:3a11:2d1b:594c:1f79:966b]) by alkaline-solutions.com (Postfix) with ESMTPSA id 3A262315F3; Mon, 12 Jun 2017 16:20:37 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <CFC8B260-ED9E-41BA-8AB8-F0121535CC0A@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C206F3BB-F513-43CC-84F3-7BE19927AA21"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 12 Jun 2017 10:20:36 -0600
In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F73E441C6@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Cc: "bburke@redhat.com" <bburke@redhat.com>, "aaron@parecki.com" <aaron@parecki.com>, "oauth@ietf.org" <oauth@ietf.org>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
References: <a496c372-b700-c6ad-06e7-c257c10d5986@redhat.com> <CAGBSGjoarSVOEdqjPJXL6BfuACnZeks4LEyBpaMSb+TQ_WFNFw@mail.gmail.com> <e59735df-a6f1-341f-164e-6151b4f23d8e@redhat.com> <831693C2CDA2E849A7D7A712B24E257F73E441C6@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hUkvuaV5cYkNBjiSQKh_BmIMqC0>
Subject: Re: [OAUTH-WG] oauth with command line clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2017 16:20:48 -0000
FYI, A few years ago I did a demonstration on OpenID Connect at Cloud Identity Summit using a collection of bash scripts and command-line utilities (nc, jq). I used the macOS system command ‘open’ to launch a browser, and netcat to field the response as a poor man’s HTTP endpoint. The code for that presentation is at https://github.com/dwaite/Presentation-Code-OpenID-Connect-Dynamic-Client-Registration A few options for the user challenge/consent portion of the authentication are: - pop up the system browser (you can use window.close() to dismiss on redirect back to your client) - thats the one I used. - device flow - use a console browser like lynx or ELinks (which has rudimentary ecmascript support at a fairly big cost) - use non-HTML request/response API (around some custom MIME type) to drive a user agent through the authentication/scope approval/etc stages of your AS - punt and use resource owner credentials grant. -DW > On Jun 12, 2017, at 7:29 AM, Hollenbeck, Scott <shollenbeck@verisign.com> wrote: > > From: OAuth [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf Of Bill Burke > Sent: Monday, June 12, 2017 9:23 AM > To: Aaron Parecki <aaron@parecki.com <mailto:aaron@parecki.com>> > Cc: OAuth WG <oauth@ietf.org <mailto:oauth@ietf.org>> > Subject: [EXTERNAL] Re: [OAUTH-WG] oauth with command line clients > > I've read about these techniques, but, its just not a good user experience. I'm thinking more of something where the command line console is the sole user agent and the auth server drives a plain text based interaction much like an HTTP Server drives interaction with HTML and the browser. > > This isn't anything complex. It should be a simple protocol, but I'd like to piggy back on existing solutions to build some consensus around what I think is a common issue with using OAuth. If there isn't anything going on here in the OAuth group surrounding this, would be willing to draw up a Draft if there is interest. > > [SAH] I’m certainly interested! I have a use case for federated client authentication and authorization for the Registration Data Access Protocol (RDAP) that has the same need for command line web service clients like wget and curl. > > Scott > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
- [OAUTH-WG] oauth with command line clients Bill Burke
- Re: [OAUTH-WG] oauth with command line clients Aaron Parecki
- Re: [OAUTH-WG] oauth with command line clients Bill Burke
- Re: [OAUTH-WG] oauth with command line clients Hollenbeck, Scott
- Re: [OAUTH-WG] oauth with command line clients David Waite
- Re: [OAUTH-WG] oauth with command line clients Justin Richer
- Re: [OAUTH-WG] oauth with command line clients Phil Hunt
- Re: [OAUTH-WG] oauth with command line clients Dick Hardt
- Re: [OAUTH-WG] oauth with command line clients Bill Burke
- Re: [OAUTH-WG] oauth with command line clients Bill Burke
- Re: [OAUTH-WG] oauth with command line clients Justin Richer