[OAUTH-WG] Device Profile

Aiden Bell <aiden449@gmail.com> Tue, 02 August 2011 22:19 UTC

Return-Path: <aiden449@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0B18E11E80A1 for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2011 15:19:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.164
X-Spam-Status: No, score=-3.164 tagged_above=-999 required=5 tests=[AWL=0.434, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id BZOmXg3i2PSp for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2011 15:19:06 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 08DB811E80CD for <oauth@ietf.org>; Tue, 2 Aug 2011 15:19:05 -0700 (PDT)
Received: by qwc23 with SMTP id 23so210572qwc.31 for <oauth@ietf.org>; Tue, 02 Aug 2011 15:19:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=iQdWzcLiP+PaQSmo8i4xb2wqszIFbh463p31YUGs0Z0=; b=VhwpRCUjtXR5x2SY8kiZNAy0+j1f2J48WCK6JErNxoieSnTJlSZHBk1CqN60y5QC64 IuU2D73ji8qHFikIRqx2oCALdmzxBwBn4zC3/qhJTA1Sc0YIRrD6aPaoegGl9fIXPZWm 4i1SBO7MoeSzI5S1UTBlJ4oZ0KqT+B1oWbiss=
MIME-Version: 1.0
Received: by with SMTP id x31mr4596591qcs.193.1312323550216; Tue, 02 Aug 2011 15:19:10 -0700 (PDT)
Received: by with HTTP; Tue, 2 Aug 2011 15:19:10 -0700 (PDT)
Date: Tue, 02 Aug 2011 23:19:10 +0100
Message-ID: <CA+5SmTVQ2M=U8DVKyfEes1JVkmhxwtdCL6=wY6JC7pxSBd6R3g@mail.gmail.com>
From: Aiden Bell <aiden449@gmail.com>
To: dr@fb.com, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0015175741140a837b04a98d23e6"
Subject: [OAUTH-WG] Device Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 22:19:07 -0000


I am currently implementing the device profile described at

Wanted to check this hadn't been superseded by any other document or
though I did notice the Google implementation is in-line with this document.

Even though the summary states this is intended for limited input devices in
combination with a full user agent (PC browser, smartphone browser),

We are finding this extension useful for app authentication when the API
serving the app is "open". This means that many developers can create
mobile apps for one API, in conjunction with single users. For example,
many apps may exist for the same API, and a single user may use many

As a result, we want to remove the requirement for ever entering use
data (passwords etc) into apps, and allow a user to revoke app/device access
on a per-instance
basis. The end-user concerns of password security are lessened here.

With OpenID or WebID in the mix, this further enhances the app/device
process as in an OpenID/WebID or similar setting, we can't always do
resource owner password
credentals (as in 1.4.3 of OAuth 2.0
http://tools.ietf.org/html/draft-ietf-oauth-v2-20 )

Unless I am missing another document or flow that provides the above better,
(most likely I am)
perhaps it is worth extending the scope/summary of device-00?

Also, typo in the JSON

  HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-store


I think should be:

  HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-store



Never send sensitive or private information via email unless it is
encrypted. http://www.gnupg.org