urn:ietf:wg:oauth:2.0:oob is a google thing that is not part of the OAuth 2 specification.
I think it was mostly a windows thing. It is not a real redirect URI it is used as a flag to the authorization server to have the result returned “Out Of Band” and the user cut and paste the token. On windows applications could snoop the title bars of other apps so programatically retrieve the token value from the title bar. I don’t really want to put effort into expanding all the reasons this is not secure. I don’t honestly know what would happen if you sent that redirect URI to a non Google AS probably nothing good. It is not part of the OAuth specification and not something people should use without having a good reason and understanding the security implications. William and I documented several ways to impliment native applications on OSX and Windows in RFC8252. On windows you are really best off using a UWP app and the native token broker with the code flow. Documentation https://developers.google.com/api-client-library/python/auth/installed-app This value signals to the Google Authorization Server that the authorization code should be returned in the title bar of the browser, with the page text prompting the user to copy the code and paste it in the application. This is useful when the client (such as a Windows application) cannot listen on an HTTP port without significant client configuration. When you use this value, your application can then detect that the page has loaded, and can read the title of the HTML page to obtain the authorization code. It is then up to your application to close the browser window if you want to ensure that the user never sees the page that contains the authorization code. The mechanism for doing this varies from platform to platform. If your platform doesn't allow you to detect that the page has loaded or read the title of the page, you can have the user paste the code back to your application, as prompted by the text in the confirmation page that the OAuth 2.0 server generates. John B. > On Oct 10, 2017, at 8:22 AM, Jim Willeke <j...@willeke.com> wrote: > > Wondering if you could help with Questions on urn:ietf:wg:oauth:2.0:oob as it > appears to be an almost common usage, but no IETF documentation or > registration that we can find on the defined usage. > > This has come up on several occasions. > https://stackoverflow.com/q/46643795/88122 > <https://stackoverflow.com/q/46643795/88122> > http://lists.jboss.org/pipermail/keycloak-dev/2014-May/001814.html > <http://lists.jboss.org/pipermail/keycloak-dev/2014-May/001814.html> > https://github.com/doorkeeper-gem/doorkeeper/issues/514 > <https://github.com/doorkeeper-gem/doorkeeper/issues/514> > https://www.ietf.org/mail-archive/web/oauth/current/msg09974.html > <https://www.ietf.org/mail-archive/web/oauth/current/msg09974.html> > > Should it be registered or defined? > (or am I missing something?) > > With best regards, > > -- > -jim > Jim Willeke > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
