Re: [OAUTH-WG] Device profile draft
George Fletcher <gffletch@aol.com> Thu, 15 July 2010 20:05 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 747223A6B2F for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 13:05:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.739
X-Spam-Level:
X-Spam-Status: No, score=-0.739 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0A0LkGfkQ1l for <oauth@core3.amsl.com>; Thu, 15 Jul 2010 13:05:38 -0700 (PDT)
Received: from imr-ma02.mx.aol.com (imr-ma02.mx.aol.com [64.12.206.40]) by core3.amsl.com (Postfix) with ESMTP id 4577D3A685E for <oauth@ietf.org>; Thu, 15 Jul 2010 13:05:34 -0700 (PDT)
Received: from mtaout-db06.r1000.mx.aol.com (mtaout-db06.r1000.mx.aol.com [172.29.51.198]) by imr-ma02.mx.aol.com (8.14.1/8.14.1) with ESMTP id o6FK5RsH015968; Thu, 15 Jul 2010 16:05:27 -0400
Received: from palantir.local (unknown [10.181.183.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db06.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 2DC81E0000B7; Thu, 15 Jul 2010 16:05:27 -0400 (EDT)
Message-ID: <4C3F6A06.6030804@aol.com>
Date: Thu, 15 Jul 2010 16:05:26 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: David Recordon <recordond@gmail.com>
References: <AANLkTimwAtY91GtsaUICsHNkh2a4zS0kJTbr6xs7W7lI@mail.gmail.com>
In-Reply-To: <AANLkTimwAtY91GtsaUICsHNkh2a4zS0kJTbr6xs7W7lI@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010003010600090707060800"
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:444397056:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d33c64c3f6a071920
X-AOL-IP: 10.181.183.128
Cc: OAuth WG <oauth@ietf.org>, Jim Brusstar <jimbru@facebook.com>
Subject: Re: [OAUTH-WG] Device profile draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 20:05:40 -0000
Looks good. Are there any restrictions on the device_code such that it has to be under a certain size? Seems like it would be good to protect against random polling attacks (I presume this is what the Google research refers to). If there are no size restrictions then the device_code could be an encrypted blob with things like the client IP which make verification that it's the right client a little stronger. Also, for devices like a digital photo frame or refrigerator, it seems like client_secrets would be appropriate. Is there a particular reason while they are excluded rather than just optional? Thanks, George On 7/15/10 3:47 PM, David Recordon wrote: > I've broken the device profile out of draft 06 so that it now lives in > a separate document as an extension and have updated it to fit into > the draft 10 structure. It defines a new "device endpoint" for the > initial setup request where the client gets the two codes and URL. It > then uses the existing token endpoint for polling for an access token. > > Jim is currently working on an implementation of it and we're > generally looking for feedback from implementors. The current polling > mechanism hasn't been tested in production deployments so it's > possible that it may change in future drafts. My goal is for this to > become a working group draft. > > http://github.com/daveman692/OAuth-2.0/raw/master/draft-recordon-oauth-v2-device-00.txt > > Thanks! > > --David > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Device profile draft David Recordon
- Re: [OAUTH-WG] Device profile draft George Fletcher
- Re: [OAUTH-WG] Device profile draft David Recordon
- Re: [OAUTH-WG] Device profile draft Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Device profile draft David Recordon
- Re: [OAUTH-WG] Device profile draft Michael D Adams
- Re: [OAUTH-WG] Device profile draft David Recordon
- Re: [OAUTH-WG] Device profile draft David Recordon