IETF Logo Mail Archive

[OAUTH-WG] username password delegation profile

Brian Eaton <beaton@google.com> Fri, 23 April 2010 00:45 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3BD13A680A for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 17:45:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.053
X-Spam-Level:
X-Spam-Status: No, score=-101.053 tagged_above=-999 required=5 tests=[AWL=-0.565, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrBHa4zsZX3U for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 17:45:14 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 2ED613A689A for <oauth@ietf.org>; Thu, 22 Apr 2010 17:45:13 -0700 (PDT)
Received: from hpaq5.eem.corp.google.com (hpaq5.eem.corp.google.com [10.3.21.5]) by smtp-out.google.com with ESMTP id o3N0j2ce026698 for <oauth@ietf.org>; Fri, 23 Apr 2010 02:45:02 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1271983502; bh=2bUQx3Fwh8V4xvuJUfr/nOwV1+o=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type: Content-Transfer-Encoding; b=sM21suNgJJIrSi7qvNMqfgnz6uroGBoBONWyYP1qUi8euHI8q8TAXVoNwQfOdibPW RlKma9/bFveN0ZMKYfKBQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:date:message-id:subject:from:to:content-type: content-transfer-encoding:x-system-of-record; b=anQwuesUNfW9iL1O3uAC5pcQGlT3z7QTdsYP/7in5RGkl5GpIXC9wWBVDYIxsPr3B 4LbKGMR0CK0TAy/kIKafQ==
Received: from pwj8 (pwj8.prod.google.com [10.241.219.72]) by hpaq5.eem.corp.google.com with ESMTP id o3N0ixgA027359 for <oauth@ietf.org>; Fri, 23 Apr 2010 02:45:00 +0200
Received: by pwj8 with SMTP id 8so6212452pwj.10 for <oauth@ietf.org>; Thu, 22 Apr 2010 17:44:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.202.10 with HTTP; Thu, 22 Apr 2010 17:44:58 -0700 (PDT)
Date: Thu, 22 Apr 2010 17:44:58 -0700
Received: by 10.142.56.21 with SMTP id e21mr405110wfa.327.1271983498857; Thu, 22 Apr 2010 17:44:58 -0700 (PDT)
Message-ID: <q2gdaf5b9571004221744ya2323eaav8cc1394af5d32b85@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Subject: [OAUTH-WG] username password delegation profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2010 00:45:14 -0000

A couple of comments on this profile.

1) Error URL

I noticed that there was wide consensus that returning a
captcha-specific error was not going to be useful.  That matches our
experience with ClientLogin [1] - very few developers properly handle
captcha.  And if a developer is sophisticated enough to handle
Captchas, I would rather they just used a web browser in the first
place.

However, lots of developers do tell users to visit the URL we return
in our error response.  This is often sufficient to resolve whatever
problems are happening with the user’s account.  So I’d like to see an
optional “url” parameter returned with the “invalid_credentials” error
code.  Clients should instruct the user to visit that URL.

2) Is anyone actually going to implement this flow and not return a
refresh token?

Cheers,
Brian

[1] http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html

v2.23.0 | Report a Bug | By Email