Re: [OAUTH-WG] user-agent flow needs a rewrite
Naitik Shah <n@daaku.org> Tue, 13 July 2010 20:01 UTC
Return-Path: <naitiks@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D95FA3A6B44 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:01:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V19hqEaGgi5m for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 13:01:48 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id DBC4C3A69DF for <oauth@ietf.org>; Tue, 13 Jul 2010 13:01:47 -0700 (PDT)
Received: by gwj19 with SMTP id 19so1329893gwj.31 for <oauth@ietf.org>; Tue, 13 Jul 2010 13:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received :in-reply-to:references:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type; bh=28ic/0BzVMUvNs4kWmqSsSx93WXSHbveQ8cSUdE7xw8=; b=hjiAieXCzi5i7KCi6P9GwCIX3TbupbX2l/XciJauPd5CHvHpXrQqGG6+ygI6VnVMi9 P94qv6EdFyY4qmqE99VG9/DDduNVIz4bJ3nPHJINHk/JyttTIBqBxvLuwdRvVX4DcCyx Cz4cU9OLdqNyXUI/KzpiainCGAxhQS7nfq6MQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=durnWVA83KS+UGo7r7yghLHNfPIa1kMzbbBFOYf8n9JLoHa15lWM7woFL6OENeL3/E RGwgUj/JeOxExLyDV503xcRBO+Tne7AUd7M3flpVLukRuwVyKyMkRD6/+Zf9iEJgfZlc dvaALiKd3NuMyhHJtySaPd6imI+peBoIE2V+s=
Received: by 10.150.140.6 with SMTP id n6mr6316354ybd.412.1279051313329; Tue, 13 Jul 2010 13:01:53 -0700 (PDT)
MIME-Version: 1.0
Sender: naitiks@gmail.com
Received: by 10.231.159.193 with HTTP; Tue, 13 Jul 2010 13:01:32 -0700 (PDT)
In-Reply-To: <AANLkTil6M4snGRdfsC5vwNPscaCYKqXqYq2F2zNKhhXP@mail.gmail.com>
References: <C85F1725.36FD1%eran@hueniverse.com> <ABEF9F68-F006-4BDD-804D-DEF9CB4C1E29@facebook.com> <AANLkTilY8Zuv-wyBiEJMhe6b6r_v_jiPtXaK7HO8jERe@mail.gmail.com> <AANLkTil6M4snGRdfsC5vwNPscaCYKqXqYq2F2zNKhhXP@mail.gmail.com>
From: Naitik Shah <n@daaku.org>
Date: Tue, 13 Jul 2010 13:01:32 -0700
X-Google-Sender-Auth: 8Qly0WfO8AsjC9ZAv0mBidwXE3M
Message-ID: <AANLkTil95ZOIIf2iak79vDEXI8y3_Axsiegb0vzPXBcl@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
Content-Type: multipart/alternative; boundary="000e0cd375922e4716048b4a5784"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 20:01:50 -0000
On Tue, Jul 13, 2010 at 11:17 AM, Brian Eaton <beaton@google.com> wrote: > On Tue, Jul 13, 2010 at 9:42 AM, David Recordon <recordond@gmail.com> > wrote: > >> That strikes me as very odd - returning some params in the query, and > >> others in the fragment is just weird. > > > > I actually think that you want this – albiet odd – combination when > > requesting both a code and token. The code and state parameters are > needed > > by the server and thus are query parameters. The access token, scope, and > > expires in shouldn't be sent to the server via HTTP and thus are within > > the fragment for the JavaScript to access. > > The problem is that if you do it this way you end up busting the > browser cache. All of the performance improvements offered by the > user-agent profile are lost. > This is one of the key reasons imho. JavaScript can access the query and the fragment, so it would technically work in either case. But having the flexibility to choose where it goes saves on one round trip to the client application. For instance, in the Facebook SDK we would like to do this background ping, and save the code in a cookie and fire a JavaScript callback to let the client application know that one is available. The client application can then decide if it wants to trigger a network request to send the code to it's servers, or not. By allowing this data to come in the fragment, we can use a static endpoint (potentially served from a subdomain that goes to a CDN) and reduce the process to a single server request in the common case. -Naitik
- [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Luke Shepard
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite David Recordon
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Blaine Cook
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Bouiaw