Hello everybody,
I am currently working on a projected related to authentication and
secure token transfer between multiple devices. As such we are employing
a simple protocol that handles token transfers independent of the actual
type of token. We have adapted the protocol to be used with OAuth tokens
and submitted it as an Internet Draft:
http://tools.ietf.org/html/draft-neumann-oauth-token-transfer
I was wondering if there is interest in employing such a protocol in
cases where the HTTP redirection schemes of OAuth are not available or
not working well (e.g. desktop applications without access to a user
agent or authentication from a different device/application than the one
accessing the consumer).
Compared to other proposals such as
draft-dehora-farrell-oauth-accesstoken-creds the STTP is more
heavyweight but in turn it also has more options. With regards to
authentication we didn't use SASL for complexity reasons in our work
initialy but I don't see any reason not to include it if this is deemed
more appropriate.
The work that the draft is based on is still ongoing. Please understand
the draft as no more than a discussion proposal on how OAuth could be
opened to non-web-based environments and scenarios that involve multiple
devices without overloading the OAuth specification itself. I am happy
to further improve the draft if you think this might be a viable option.
Best regards
Niklas
--
Niklas Neumann - University of Goettingen, Institute of Computer Science
http://user.informatik.uni-goettingen.de/~nneuman1/
Tel: +49 551 39-172053
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
