On Tue, Aug 2, 2011 at 3:19 PM, Aiden Bell <aiden...@gmail.com> wrote:
> Hi,
>
> I am currently implementing the device profile described at
> http://tools.ietf.org/html/draft-recordon-oauth-v2-device-00
>
> Wanted to check this hadn't been superseded by any other document or
> protocol
> though I did notice the Google implementation is in-line with this document.

Google's implementation is close, but it is not following the
extension to the letter. Mostly because the OAuth 2 spec evolved since
the extension was written. Here is the documentation:
http://code.google.com/apis/accounts/docs/OAuth2ForDevices.html

Marius

> Even though the summary states this is intended for limited input devices in
> combination with a full user agent (PC browser, smartphone browser),
>
> We are finding this extension useful for app authentication when the API
> serving the app is "open". This means that many developers can create
> mobile apps for one API, in conjunction with single users. For example,
> many apps may exist for the same API, and a single user may use many
> apps.
>
> As a result, we want to remove the requirement for ever entering use
> account-specific
> data (passwords etc) into apps, and allow a user to revoke app/device access
> on a per-instance
> basis. The end-user concerns of password security are lessened here.
>
> With OpenID or WebID in the mix, this further enhances the app/device
> authentication
> process as in an OpenID/WebID or similar setting, we can't always do
> resource owner password
> credentals (as in 1.4.3 of OAuth 2.0
> http://tools.ietf.org/html/draft-ietf-oauth-v2-20 )
>
> Unless I am missing another document or flow that provides the above better,
> (most likely I am)
> perhaps it is worth extending the scope/summary of device-00?
>
> Also, typo in the JSON
>
>   HTTP/1.1 200 OK
>   Content-Type: application/json
>   Cache-Control: no-store
>
>   {
>     "device_code":"74tq5miHKB",
>     "user_code":"94248",
>     "verification_uri":"http://www.example.com/device";,
>      "interval"=5
>    }
>
> I think should be:
>
>   HTTP/1.1 200 OK
>   Content-Type: application/json
>   Cache-Control: no-store
>
>   {
>      "device_code":"74tq5miHKB",
>      "user_code":"94248",
>      "verification_uri":"http://www.example.com/device";,
>      "interval":5
>   }
>
> Thanks,
> Aiden
>
> --
> ------------------------------------------------------------------
> Never send sensitive or private information via email unless it is
> encrypted. http://www.gnupg.org
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to