IETF Logo Mail Archive

Re: [OAUTH-WG] Native Client Extension

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 28 January 2011 16:19 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 441353A68C0 for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 08:19:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.569
X-Spam-Level:
X-Spam-Status: No, score=-3.569 tagged_above=-999 required=5 tests=[AWL=1.030, BAYES_00=-2.599, GB_I_LETTER=-2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BevK0tUs8ptz for <oauth@core3.amsl.com>; Fri, 28 Jan 2011 08:19:16 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 35F043A67C3 for <oauth@ietf.org>; Fri, 28 Jan 2011 08:19:15 -0800 (PST)
Received: (qmail 16405 invoked from network); 28 Jan 2011 16:22:21 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 28 Jan 2011 16:22:21 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Fri, 28 Jan 2011 09:22:04 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Skylar Woodward <skylar@kiva.org>, Marius Scurtescu <mscurtescu@google.com>
Date: Fri, 28 Jan 2011 09:21:43 -0700
Thread-Topic: [OAUTH-WG] Native Client Extension
Thread-Index: Acu+5D2S3yVKVs7vTfi0ULDrHbNKwwAIwcJQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723445A8FB28DE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <AANLkTi=YWLHV1Yi0bdKTaDaBw3X5D6Y_kk3xt7EvJHe_@mail.gmail.com> <4D239DCF.4030501@lodderstedt.net> <AANLkTi=RAS5X0jUjxFzf6k1_r+79NFSFjmZs2bw2Lg3o@mail.gmail.com> <3C83928E-56D5-4386-A075-9ECF1F3A469C@kiva.org> <AANLkTin_=nJi7yeJ8VTMV-dufB8UoP5Y4r1ffM+82vgO@mail.gmail.com> <4E163351-08AE-47FA-B1F2-ECE6535346C1@kiva.org>
In-Reply-To: <4E163351-08AE-47FA-B1F2-ECE6535346C1@kiva.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Native Client Extension
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 16:19:18 -0000

Why not:

urn:ietf:wg:oauth:2.0:oob

Can you can add more flavors for different ways of floating the token/code up to the application. This requires no changes at all to -12 to allow this special case.

EHL

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Skylar Woodward
> Sent: Friday, January 28, 2011 4:09 AM
> To: Marius Scurtescu
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Native Client Extension
> 
> I agree in terms of simplicity, but the language in 4.1 and in the definition of
> redirect_url conflicts with group consensus. So it seems a single exception
> should be called out for the case where redirect_url=oob (or some compliant
> absolute url like x-oauth-oob:), or there should be an extension defined that
> makes this exceptional case clearly defined to co-exist with the core
> language of MUST, REQUIRED, and absolute.
> 
> On Jan 28, 2011, at 1:44 AM, Marius Scurtescu wrote:
> 
> > On Thu, Jan 27, 2011 at 3:00 AM, Skylar Woodward <skylar@kiva.org>
> wrote:
> >> Marius,
> >>
> >> I support the extension (as per my previous letter, as I missed this thread
> over the holidays) and Kiva is/was planning to support this as well.  Given the
> unpredictable technology environments of many of our customers, this flow
> is essential for our implementation.
> >>
> >> However, now reviewing language in draft-12, I wonder if it isn't more
> clear to define the extension as using a different response_type (eg,
> oob_code).  In the past, the use of "oob" has been more of hack to work
> with existing specs. In truth, it is a unique flow of its own compared to Implict
> and Auth Code as they are currently defined.  Such a flow would not accept a
> redirect_url and could use "oob_code" for both response_type and
> grant_type.
> >
> > I still think that "oob" applies only to the mechanism to return a
> > result, and not to the whole flow. Theoretically redirect_uri=oob
> > should work with both response_type=code and response_type=token,
> but
> > I had in mind only code.
> >
> > Also, I don't see a reason to do anything special with the grant_type,
> > once the client has an authorization code it is all the same.
> >
> > Marius
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email