Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
Andrew Arnott <andrewarnott@gmail.com> Mon, 07 June 2010 17:19 UTC
Return-Path: <andrewarnott@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 793D33A6892 for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.648
X-Spam-Level:
X-Spam-Status: No, score=-0.648 tagged_above=-999 required=5 tests=[AWL=-0.650, BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxkaTr2QAF8w for <oauth@core3.amsl.com>; Mon, 7 Jun 2010 10:19:38 -0700 (PDT)
Received: from mail-yw0-f171.google.com (mail-yw0-f171.google.com [209.85.211.171]) by core3.amsl.com (Postfix) with ESMTP id 1EC3428C38A for <oauth@ietf.org>; Mon, 7 Jun 2010 08:43:46 -0700 (PDT)
Received: by ywh1 with SMTP id 1so2935439ywh.22 for <oauth@ietf.org>; Mon, 07 Jun 2010 08:43:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type; bh=s1kWxa2sr0aG/OmpR2zwaQZAJXADuDdaaajHaIRzeq0=; b=EhplGfvth5YcrnsujvCVcxU6RrjY2csz6T0bIaq8+r4xp8WKLeGh6RuLnTwIPRInKC Jzx9J/CUnl5Zi6xrpkNmeEseKK40CbZbmIAgXd5wXIDS/UT8MDclIGzwT+eeoxRcEV25 Wo1gVqapCf2cmtd/hXWSKLb5c9aR3/oePEku8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=br0o/Kuf8ipU8zP9qAGa8DdTqG4gaeKWdGYIqC1FK3eY8/pjS+QWJ2bJvVks32MLtQ GsJWQuRBoRiXqnJlBBcO4XoxEhoprvX6/ER3WWNzfd5njY+wJua+AaRG04qlEDnherp0 bMKSfRwlydSFVJeegLzIBbZVb5sq77smQaOQ8=
Received: by 10.150.208.10 with SMTP id f10mr13833997ybg.261.1275925423996; Mon, 07 Jun 2010 08:43:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.26.19 with HTTP; Mon, 7 Jun 2010 08:43:23 -0700 (PDT)
In-Reply-To: <AANLkTiltbpzsz82062o6z4xE-c7s8iopO6NADvziiAV0@mail.gmail.com>
References: <AANLkTikF2JB2wgCgsKEnUA4Jxz9Dj-lFd6dbnBLlWI_5@mail.gmail.com> <AANLkTinscdndCmYK-18ze8P2ClafH7OS_-djX21h3AXW@mail.gmail.com> <AANLkTiltbpzsz82062o6z4xE-c7s8iopO6NADvziiAV0@mail.gmail.com>
From: Andrew Arnott <andrewarnott@gmail.com>
Date: Mon, 07 Jun 2010 08:43:23 -0700
Message-ID: <AANLkTimLfR2v3Pi06rWA401_kpDFaurwmBxoV1viukUy@mail.gmail.com>
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000e0cdf1baaab436a04887289e2"
Subject: Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2010 17:19:39 -0000
Rick, ... On Sat, Jun 5, 2010 at 12:45 PM, Rick Olson <technoweenie@gmail.com> wrote: > How else are you preregistered with the auth server? I don't understand the question, sorry. > Why can't you > just return the temporary code and rely on the JS or Desktop app to > make another call to get the access token? JSONP would work well for > the response to JS apps. > Besides being less convenient for the clients, what would that accomplish? I don't think it would improve security, if that's the objective, since the clients still can't keep their own secrets and it's the secret that accompany the follow-up request for an access token that prevent the security problem in the other flows. > > On Sat, Jun 5, 2010 at 12:49 AM, Andrew Arnott <andrewarnott@gmail.com> > wrote: > > The user agent flow indicates that the redirect_uri SHOULD be > preregistered > > with the auth server for a given client. I would like to suggest that > the > > SHOULD here be changed to MUST. Unless I'm missing something, without a > > preregistered redirect_uri any arbitrary client can obtain an access > token > > under the pretense of being another client, and thereby perhaps > altogether > > skip a user authorization prompt. > > > > As there will likely be a few popular client_id's in use, it will > actually > > make it trivially easy to obtain elevated access to private user data as > a > > rogue application. This danger is unique to the user-agent flow because > in > > this flow the client_secret is not required to obtain the access token, > > whereas it is for other flows. > > > > Thoughts? > > -- > > Andrew Arnott > > "I [may] not agree with what you have to say, but I'll defend to the > death > > your right to say it." - S. G. Tallentyre > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > Rick Olson >
- Re: [OAUTH-WG] User-agent flow and pre-registered… Dick Hardt
- [OAUTH-WG] User-agent flow and pre-registered red… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Chuck Mortimore
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Chuck Mortimore
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… Thomas Hardjono
- Re: [OAUTH-WG] User-agent flow and pre-registered… Andrew Arnott
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Torsten Lodderstedt
- Re: [OAUTH-WG] User-agent flow and pre-registered… Justin Richer
- Re: [OAUTH-WG] User-agent flow and pre-registered… Christian Scholz
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Justin Richer
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… David Recordon
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Eran Hammer-Lahav
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher
- Re: [OAUTH-WG] User-agent flow and pre-registered… Marius Scurtescu
- Re: [OAUTH-WG] User-agent flow and pre-registered… George Fletcher