Re: [OAUTH-WG] Returning tokens directly to a human user

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 06 March 2015 22:20 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29F631A0143 for <oauth@ietfa.amsl.com>; Fri, 6 Mar 2015 14:20:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwdUdP9TihwW for <oauth@ietfa.amsl.com>; Fri, 6 Mar 2015 14:20:32 -0800 (PST)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D1981A0100 for <oauth@ietf.org>; Fri, 6 Mar 2015 14:20:32 -0800 (PST)
Received: by wibhm9 with SMTP id hm9so6830826wib.2 for <oauth@ietf.org>; Fri, 06 Mar 2015 14:20:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=M62WLJielXC78rSUAnb+9kJfYMokOhwQrtUHELSXuqw=; b=R37+iWsWrDi8hQnIA6aedt/0Y/0Q7XLzoIExNca8lXmYUehr8fBSncHgmq1gB28oCg 89C7euXo779XpgnwzXsWm7YaSTKxihV0pWFIVZFlzVU3znMdEzk3MSLll8tGEREpfAWC v5HrsbQuxjhT7IhONGblGqjuPYQ2oPQXU9Vym2FJgaFWj4WE7o6jHAetxg1aIHwrJWAp EUPEKKe3uyTNEnUnMvaSxhZQr+Hgj/z422ounQfl/dhp0hudbBuqcYkHmHEB99FUvTwm rerd7VmA7Yt59wPawDpQmkIkf4VSKXdUgPfBGEeurvJkWxiANvMSQADtuTkBkImc5Bx4 OjEA==
X-Received: by 10.194.208.229 with SMTP id mh5mr13718002wjc.108.1425680431265; Fri, 06 Mar 2015 14:20:31 -0800 (PST)
Received: from [192.168.2.7] ([89.100.10.58]) by mx.google.com with ESMTPSA id hd10sm3368188wib.7.2015.03.06.14.20.29 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Mar 2015 14:20:30 -0800 (PST)
Message-ID: <54FA2829.7090107@gmail.com>
Date: Fri, 06 Mar 2015 22:20:25 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Dick Hardt <dick.hardt@gmail.com>
References: <54F59359.5020601@gmx.net> <2A7D9B45-2459-4558-8356-CAB1029D113D@MIT.EDU> <4E1F6AAD24975D4BA5B1680429673943A2E78D9F@TK5EX14MBXC292.redmond.corp.microsoft.com> <54F7C2B7.7090304@mit.edu> <4E1F6AAD24975D4BA5B1680429673943A2E79640@TK5EX14MBXC292.redmond.corp.microsoft.com> <54F9E246.70901@gmail.com> <CAD9ie-v=i_QDVbdZ0eTZLMkWRqqKLKa9ec15JiMgGqrpMzh_yg@mail.gmail.com>
In-Reply-To: <CAD9ie-v=i_QDVbdZ0eTZLMkWRqqKLKa9ec15JiMgGqrpMzh_yg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/qrX4-ngUgOHbOwYLbj5ZasZAUAY>
Cc: Oauth Wrap Wg <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Returning tokens directly to a human user
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 22:20:38 -0000

Thanks for a reference to such applications...

Sergey
On 06/03/15 18:07, Dick Hardt wrote:
> If you are interested in how others have done a similar flow, you could
> look at how smart TVs supporting Netflix and Amazon are authorized.
>
> On Fri, Mar 6, 2015 at 9:22 AM, Sergey Beryozkin <sberyozkin@gmail.com
> <mailto:sberyozkin@gmail.com>> wrote:
>
>     Hi All,
>
>     We might have a requirement to support a case where AS returns an
>     access token directly to a human user, with the user subsequently
>     configuring a confidential client with this token. The actual client
>     is not capable of supporting a (more dynamic) code flow at this stage.
>
>     So it is nearly like an implicit code flow except that the user is
>     asked upfront which clients can get the tokens allocated and the
>     token is returned in the HTML response without redirecting and
>     placing the token in a fragment.
>
>     Apparently a number of big providers do just that, let users
>     allocate tokens for some clients with the users expected to copy the
>     tokens into the confidential clients afterwards.
>
>     I'd like to ask, it is a reasonable approach, to have tokens
>     transferred manually into the confidential client ?
>
>     Would it be more appropriate for a user to request a code and then
>     copy it to the confidential client and expect it to get the tokens
>     itself. I guess the problem here may be a code is short lived, but
>     so is a typical access token - but the latter can be supported by a
>     refresh one.
>
>     Another question: does it even qualify as an OAuth2 grant for token
>     exchange, the process of a user pre-authorizing a client and getting
>     not a code but tokens back ? I guess it does, so how a grant like
>     this one would typically be called ? We'd have no problems with
>     assigning some custom name to such a grant but curious how others
>     approach it...
>
>     Thanks, Sergey
>
>
>
>
>     _________________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/__listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>