Re: [OAUTH-WG] OAuth 2.0 Mobile WebApp Flow

That's right. It would help various extensions as well. On Thu, Jun 10, 2010 at 8:05 AM, John Panzer wrote: > So the thinking is that this is just a generic "include" or "one level of > indirection" feature that is orthogonal to other flows? > > FWIW, I really like that notion. It's also very e

Re: [OAUTH-WG] Questions about sections 3.2/3.3

Please do. EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Peter Saint-Andre > Sent: Wednesday, June 09, 2010 6:38 PM > To: oauth@ietf.org > Subject: Re: [OAUTH-WG] Questions about sections 3.2/3.3 > > On 6/9/10 6:42 PM, Michael D Ad

Re: [OAUTH-WG] Questions about sections 3.2/3.3

On 6/9/10 6:42 PM, Michael D Adams wrote: > On Tue, Jun 8, 2010 at 3:10 PM, Eran Hammer-Lahav wrote: >>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >>> Yaron Goland >>> Section 3.3 - Is TLS/SSL mandatory or optional? And if so, what version of >>> TLS/SSL? >> >> Is

Re: [OAUTH-WG] Questions about sections 3.2/3.3

On Tue, Jun 8, 2010 at 3:10 PM, Eran Hammer-Lahav wrote: >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >> Yaron Goland >> Section 3.3 - Is TLS/SSL mandatory or optional? And if so, what version of >> TLS/SSL? > > Is it ok to require TLS 1.2? > >> To me this text imp

Re: [OAUTH-WG] polling in the device flow

I think long polling came up at the face to face and we decided to not fundamentally change how the flow works until we have implementation experience. I'm fine with using 503 since it's not really a fundamental change. --David On Wed, Jun 9, 2010 at 4:51 PM, Dirk Balfanz wrote: > On Wed, Jun

Re: [OAUTH-WG] polling in the device flow

On Wed, Jun 9, 2010 at 12:17 AM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > using mechanisms provided by the HTTP protocol sound reasonable to me. > > I see two questions: > > 1) Is 503 intended for that purpose? > http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html says: "The ser

Re: [OAUTH-WG] polling in the device flow

On Wed, Jun 9, 2010 at 10:58 AM, David Recordon wrote: > Unless I'm misreading the Timeouts spec, it defines a HTTP request > header which the client uses to tell the server how long it will wait. > That's how I read them, too. But that might be an alternative way to pick up the token in the dev

Re: [OAUTH-WG] OAuth 2.0 Mobile WebApp Flow

On Wed, Jun 9, 2010 at 4:05 PM, John Panzer wrote: > So the thinking is that this is just a generic "include" or "one level of > indirection" feature that is orthogonal to other flows? > > FWIW, I really like that notion. It's also very easy to describe and > understand conceptually. > +1 How

Re: [OAUTH-WG] proposal for factoring out request signing in OAuth 2

I thought perhaps the most game changing suggestion on signatures was saying "the client has to know what it's sending to sign". Much of the complexity of the 1.0 signatures was agreeing on what was signed. Was there strong objection to making this simplifying assumption? I think signatures have

Re: [OAUTH-WG] OAuth 2.0 Mobile WebApp Flow

So the thinking is that this is just a generic "include" or "one level of indirection" feature that is orthogonal to other flows? FWIW, I really like that notion. It's also very easy to describe and understand conceptually. -- John Panzer / Google jpan...@google.com / abstractioneer.org

Re: [OAUTH-WG] A display parameter for user authorization requests

-07 will include an initial extensibility model (which I need as well for the discovery parameters, signature proposal, etc.) EHL On 6/9/10 12:27 PM, "record...@gmail.com" wrote: I believe that Eran is separately working on documenting the extension model. Let's leave that discussion for anot

[OAUTH-WG] Recommended token format

Hi We are in the process of defining a REST interface for our application, and are looking to use OAuth 2 as the authentication mechanism. I have read through the latest specification, and it seems like a perfect fit for our needs. Our main dilemma is with regard to the format of the access token.

Re: [OAUTH-WG] A display parameter for user authorization requests

On Wed, Jun 9, 2010 at 12:27, David Recordon wrote: > I believe that Eran is separately working on documenting the extension > model. Let's leave that discussion for another thread. Sounds good. > > > On Wed, Jun 9, 2010 at 12:23 PM, Breno de Medeiros wrote: >> On Wed, Jun 9, 2010 at 12:06, Dav

Re: [OAUTH-WG] A display parameter for user authorization requests

I believe that Eran is separately working on documenting the extension model. Let's leave that discussion for another thread. On Wed, Jun 9, 2010 at 12:23 PM, Breno de Medeiros wrote: > On Wed, Jun 9, 2010 at 12:06, David Recordon wrote: >> First draft of the UX Extension is at >> http://github

Re: [OAUTH-WG] A display parameter for user authorization requests

On Wed, Jun 9, 2010 at 12:06, David Recordon wrote: > First draft of the UX Extension is at > http://github.com/daveman692/OAuth-2.0/raw/master/draft-recordon-oauth-v2-ux-00.txt. > > Eran, I'm more than happy to have you take over as editor. > > I included Allen and Breno as authors since I follow

[OAUTH-WG] draft-hardjono-oauth-kerberos-00.txt

I was prompted to write this draft after the OATH WG meeting at the last IETF in March, in which several folks in the room were comparing OAuth with Kerberos. Some people also suggested to me that a comparative doc might be useful. http://www.ietf.org/internet-drafts/draft-hardjono-oauth-kerberos

Re: [OAUTH-WG] A display parameter for user authorization requests

First draft of the UX Extension is at http://github.com/daveman692/OAuth-2.0/raw/master/draft-recordon-oauth-v2-ux-00.txt. Eran, I'm more than happy to have you take over as editor. I included Allen and Breno as authors since I followed Allen's suggestion and adopted the language preference param

Re: [OAUTH-WG] polling in the device flow

Unless I'm misreading the Timeouts spec, it defines a HTTP request header which the client uses to tell the server how long it will wait. That's a different problem from the server telling the client to back off it's request rate. A 503 with a Retry-After header seems reasonable. We should specify

Re: [OAUTH-WG] OAuth 2 for Native Apps

Sure, will do that. Marius On Wed, Jun 9, 2010 at 10:59 AM, David Recordon wrote: > Want to put this on the wiki http://wiki.oauth.net/? > > > On Mon, Jun 7, 2010 at 12:25 PM, Marius Scurtescu > wrote: >> Hi, >> >> I attached a document that summaries how native applications can use OAuth 2.

Re: [OAUTH-WG] OAuth 2 for Native Apps

Want to put this on the wiki http://wiki.oauth.net/? On Mon, Jun 7, 2010 at 12:25 PM, Marius Scurtescu wrote: > Hi, > > I attached a document that summaries how native applications can use OAuth 2. > > Feedback more than welcome, especially if you have experience with > native apps and OAuth. >

Re: [OAUTH-WG] native app support (was: Next draft)

Oops, I misread this point. So +1 for 3), too. regards, Torsten. Am 09.06.2010 18:45, schrieb Marius Scurtescu: On Wed, Jun 9, 2010 at 12:42 AM, Torsten Lodderstedt wrote: 3) I would rather add the user_code as optional URL parameter to the device flow. Are you suggesting the sam

Re: [OAUTH-WG] native app support (was: Next draft)

On Wed, Jun 9, 2010 at 12:42 AM, Torsten Lodderstedt wrote: > 3) I would rather add the user_code as optional URL parameter to the device > flow. Are you suggesting the same thing? That the endpoint at verification_uri should accept an optional user_code query parameter? Marius _

Re: [OAUTH-WG] User-agent flow and pre-registered redirect_uri

On Tue, Jun 8, 2010 at 11:20 PM, Andrew Arnott wrote: > Marius, > > You seem to be coming from the perspective that the auth server stores > authorizations (that would eliminate the need for the user to interactively > approve an authorization) based on redirect_url rather than client_id.  Is > th

Re: [OAUTH-WG] [WRAP] WRAP in GSMA OneAPI

Hi David, Blaine, We (the OneAPI group) have been looking further into OAUTH 2.0 and would like to see how it can work in a mobile network scenario: for example, a desktop Web application wants to locate a mobile user to plot their location on a map. So the client is the Web application and the se

Re: [OAUTH-WG] polling in the device flow

> What conclusions would you draw from this internet-draft? > Shall we move for long polling and "Timeout" headers? I have not been following the polling issue deeply, but I agree with Dirk that OAuth2 should try leave the polling issue to other specs as much as possible. Suggesting long poll

Re: [OAUTH-WG] draft-ietf-oauth-v2-06

On 6/9/10 7:30 AM, Thomas Hardjono wrote: > Is there a diff version of this draft (eg. a marked PDF say)? Check the two "diff" links at the top of the page here: http://tools.ietf.org/html/draft-ietf-oauth-v2-06 /psa smime.p7s Description: S/MIME Cryptographic Signature __

Re: [OAUTH-WG] draft-ietf-oauth-v2-06

Is there a diff version of this draft (eg. a marked PDF say)? ps. I know the IETF doesn't do PDFs, but I thought I'd ask anyways :) /thomas/ __ > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Er

[OAUTH-WG] proposal: multiple access tokens from a single authorization flow

Hi all, I would like to see support in OAuth2 for the authorization of arbitrary scopes in a single authorization flow for all kinds of deployments. In some deployments this may require to issue multiple access tokens at once. Therefore, I would like to propose the following addition to secti

Re: [OAUTH-WG] polling in the device flow

What conclusions would you draw from this internet-draft? Shall we move for long polling and "Timeout" headers? regards, Torsten. Am 09.06.2010 09:29, schrieb Manger, James H: Right on cue a new internet-draft covering the HTTP polling issue has just appeared: Hypertext Transfer Protocol (

Re: [OAUTH-WG] native app support (was: Next draft)

1) +1 2) +1 - Oauth 1.0a had "oob", why not for that purpose 3) I would rather add the user_code as optional URL parameter to the device flow. 4) What about an additional best practices document? regards, Torsten. Am 08.06.2010 19:46, schrieb Marius Scurtescu: In order to properly support nat

Re: [OAUTH-WG] polling in the device flow

Right on cue a new internet-draft covering the HTTP polling issue has just appeared: Hypertext Transfer Protocol (HTTP) Timeouts draft-loreto-http-timeout [June 2010] See also: Best Practices for the Use of Long Polling and Strea

Re: [OAUTH-WG] polling in the device flow

using mechanisms provided by the HTTP protocol sound reasonable to me. I see two questions: 1) Is 503 intended for that purpose? http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html says: "The server is currently unable to handle the request due to a temporary overloading or maintenance of

[OAUTH-WG] draft-ietf-oauth-v2-06

(Should show up any minute.) This is mostly pre-meeting feedback, plus some big removals of signatures and discovery. o Editorial changes, corrections, clarifications, etc. o Removed conformance section. o Moved authors section to contributors appendix. o Added section on native

[OAUTH-WG] I-D Action:draft-ietf-oauth-v2-06.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Open Authentication Protocol Working Group of the IETF. Title : The OAuth 2.0 Protocol Author(s) : E. Hammer-Lahav, et al. Filename: dr