Re: [OAUTH-WG] Native Client Extension
Skylar Woodward <skylar@kiva.org> Fri, 28 January 2011 12:06 UTC
Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 99CC23A67F9 for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 04:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.606
X-Spam-Level:
X-Spam-Status: No, score=-3.606 tagged_above=-999 required=5 tests=[AWL=0.993, BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cGgX2EBuSfpm for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 04:06:19 -0800 (PST)
Received: from na3sys010aog110.obsmtp.com (na3sys010aog110.obsmtp.com [74.125.245.88]) by core3.amsl.com (Postfix) with SMTP id 374B63A63EB for <oauth@ietf.org>; Fri, 28 Jan 2011 04:06:16 -0800 (PST)
Received: from source ([209.85.214.48]) (using TLSv1) by na3sys010aob110.postini.com ([74.125.244.12]) with SMTP ID DSNKTUKx8nCsUPLj73/bEzmXePi50UCu2TEI@postini.com; Fri, 28 Jan 2011 04:09:23 PST
Received: by bwz8 with SMTP id 8so3471022bwz.7 for <oauth@ietf.org>; Fri, 28 Jan 2011 04:09:21 -0800 (PST)
Received: by 10.204.113.9 with SMTP id y9mr2285118bkp.201.1296216561214; Fri, 28 Jan 2011 04:09:21 -0800 (PST)
Received: from [10.0.1.4] (dan75-7-88-166-184-189.fbx.proxad.net [88.166.184.189]) by mx.google.com with ESMTPS id f20sm8661535bkf.16.2011.01.28.04.09.18 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 28 Jan 2011 04:09:19 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <skylar@kiva.org>
In-Reply-To: <AANLkTin_=nJi7yeJ8VTMV-dufB8UoP5Y4r1ffM+82vgO@mail.gmail.com>
Date: Fri, 28 Jan 2011 13:09:16 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <4E163351-08AE-47FA-B1F2-ECE6535346C1@kiva.org>
References: <AANLkTi=YWLHV1Yi0bdKTaDaBw3X5D6Y_kk3xt7EvJHe_@mail.gmail.com> <4D239DCF.4030501@lodderstedt.net> <AANLkTi=RAS5X0jUjxFzf6k1_r+79NFSFjmZs2bw2Lg3o@mail.gmail.com> <3C83928E-56D5-4386-A075-9ECF1F3A469C@kiva.org> <AANLkTin_=nJi7yeJ8VTMV-dufB8UoP5Y4r1ffM+82vgO@mail.gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
X-Mailer: Apple Mail (2.1082)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Native Client Extension
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 12:06:20 -0000
I agree in terms of simplicity, but the language in 4.1 and in the definition of redirect_url conflicts with group consensus. So it seems a single exception should be called out for the case where redirect_url=oob (or some compliant absolute url like x-oauth-oob:), or there should be an extension defined that makes this exceptional case clearly defined to co-exist with the core language of MUST, REQUIRED, and absolute. On Jan 28, 2011, at 1:44 AM, Marius Scurtescu wrote: > On Thu, Jan 27, 2011 at 3:00 AM, Skylar Woodward <skylar@kiva.org> wrote: >> Marius, >> >> I support the extension (as per my previous letter, as I missed this thread over the holidays) and Kiva is/was planning to support this as well. Given the unpredictable technology environments of many of our customers, this flow is essential for our implementation. >> >> However, now reviewing language in draft-12, I wonder if it isn't more clear to define the extension as using a different response_type (eg, oob_code). In the past, the use of "oob" has been more of hack to work with existing specs. In truth, it is a unique flow of its own compared to Implict and Auth Code as they are currently defined. Such a flow would not accept a redirect_url and could use "oob_code" for both response_type and grant_type. > > I still think that "oob" applies only to the mechanism to return a > result, and not to the whole flow. Theoretically redirect_uri=oob > should work with both response_type=code and response_type=token, but > I had in mind only code. > > Also, I don't see a reason to do anything special with the grant_type, > once the client has an authorization code it is all the same. > > Marius
- [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Torsten Lodderstedt
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Richer, Justin P.
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu
- Re: [OAUTH-WG] Native Client Extension Eran Hammer-Lahav
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Skylar Woodward
- Re: [OAUTH-WG] Native Client Extension Marius Scurtescu