Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id CA0FC1A8F4C
 for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 08:47:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
 RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id NCgzucuGvatW for <oauth@ietfa.amsl.com>;
 Wed, 27 Jan 2016 08:47:51 -0800 (PST)
Received: from omr-m008e.mx.aol.com (omr-m008e.mx.aol.com [204.29.186.7])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id A70E61A885B
 for <oauth@ietf.org>; Wed, 27 Jan 2016 08:47:51 -0800 (PST)
Received: from mtaout-mad01.mx.aol.com (mtaout-mad01.mx.aol.com
 [172.26.221.205])
 by omr-m008e.mx.aol.com (Outbound Mail Relay) with ESMTP id 4FF2638007B7;
 Wed, 27 Jan 2016 11:47:40 -0500 (EST)
Received: from [10.172.102.147] (unknown [10.172.102.147])
 (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 by mtaout-mad01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id
 0099038000C66; Wed, 27 Jan 2016 11:43:17 -0500 (EST)
To: Thomas Broyer <t.broyer@gmail.com>,
 Sergey Beryozkin <sberyozkin@gmail.com>, Justin Richer <jricher@mit.edu>
References: <78kleo9cmvytysxs1qv8kep0.1453117674832@email.android.com>
 <569CDE25.90908@gmail.com>
 <CAAP42hA_3EmJw7fAXSSfg=KynAMF26x6vgm1HyLX1RAS4OpKfQ@mail.gmail.com>
 <569E08F6.4040600@gmail.com> <56A7B52C.2040302@gmail.com>
 <CAEayHEMrTjDQbdoX3C-2-oGUVVQTzCzDqbWU-hFeAtbSp-tCcg@mail.gmail.com>
 <7E08DFCA-ADBC-481A-896A-2725E1F79EFA@mit.edu> <56A8A762.9080004@gmail.com>
 <CAEayHEPi7hsu=zkr_qxadp02D9zzLGVDU-AGVZXzm25vE2bJFw@mail.gmail.com>
 <56A8B542.5060208@gmail.com> <56A8BE1B.2080404@aol.com>
 <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A8F3A5.8060002@aol.com>
Date: Wed, 27 Jan 2016 11:43:17 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------040607060106050503050807"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;
 s=20150623; t=1453912998;
 bh=/03RVDCelRl11RanqeaOySrbCSaraKE2p9wVFQnZTLg=;
 h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type;
 b=aMTtj2nOEGL1XmJOlqX01EmluOsKcen+WRhr8JOlqZ6Byy2Rdx2VeshVpvVcdbioT
 NFda+yCmJ737KTeEmoveLi5ggSC1/3QNNTXqnhUFCQxQYYMMVjr3zFN/zk8kpgbmzc
 nVmdXypn1zL67nyE7S6Sw6Im93lXoQLwBtXX0H0s=
x-aol-sid: 3039ac1addcd56a8f3a57fb5
X-AOL-IP: 10.172.102.147
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/sJekQ-1DP3buj5h3uAeaxGzV63E>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 16:47:54 -0000

This is a multi-part message in MIME format.
--------------040607060106050503050807
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Yes, I was thinking mostly of "native apps"... though you bring up a 
good point. It would be great if "installable" web apps could do dynamic 
client registration:)  I suppose for a "public" client that is loaded 
onto a device, the "installation" process could obtain a new client_id 
for that instance. Cookies might work, or have the app generate a unique 
identifier and use that in conjunction with the client_id?

Thanks,
George

On 1/27/16 11:07 AM, Thomas Broyer wrote:
>
>
> On Wed, Jan 27, 2016 at 1:54 PM George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>     The difference might be whether you want to store the scope
>     consent by client "instance" vs client_id application "class".
>
>
> Correct me if I'm wrong but this only makes sense for "native apps", 
> not for web apps, right?
> (of course, now with "installable web apps" –e.g. progressive web 
> apps–, lines get blurry; any suggestion how you'd do it then? cookies?)

-- 
Chief Architect
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography


--------------040607060106050503050807
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Yes, I was thinking mostly
      of "native apps"... though you bring up a good point. It would be
      great if "installable" web apps could do dynamic client
      registration:)  I suppose for a "public" client that is loaded
      onto a device, the "installation" process could obtain a new
      client_id for that instance. Cookies might work, or have the app
      generate a unique identifier and use that in conjunction with the
      client_id?<br>
      <br>
      Thanks,<br>
      George<br>
    </font><br>
    <div class="moz-cite-prefix">On 1/27/16 11:07 AM, Thomas Broyer
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAEayHEOtpUxMRKduitbe=D3UFHSazMmkf9UQoiPNjZFr0JATOA@mail.gmail.com"
      type="cite">
      <div dir="ltr"><br>
        <br>
        <div class="gmail_quote">
          <div dir="ltr">On Wed, Jan 27, 2016 at 1:54 PM George Fletcher
            &lt;<a moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
            wrote:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> <font
                face="Helvetica, Arial, sans-serif">The difference might
                be whether you want to store the scope consent by client
                "instance" vs client_id application "class".</font></div>
          </blockquote>
          <div><br>
          </div>
          <div>Correct me if I'm wrong but this only makes sense for
            "native apps", not for web apps, right?</div>
          <div>(of course, now with "installable web apps" –e.g.
            progressive web apps–, lines get blurry; any suggestion how
            you'd do it then? cookies?)</div>
        </div>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Chief Architect                   
Identity Services Engineering     Work: <a class="moz-txt-link-abbreviated" href="mailto:george.fletcher@teamaol.com">george.fletcher@teamaol.com</a>
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/gffletch">http://twitter.com/gffletch</a>
Office: +1-703-265-2544           Photos: <a class="moz-txt-link-freetext" href="http://georgefletcher.photography">http://georgefletcher.photography</a>
</pre>
  </body>
</html>

--------------040607060106050503050807--