On 2011-01-05, at 7:01 PM, Francisco Corella wrote:
> --- On Wed, 1/5/11, Marius Scurtescu wrote:
> > > This seems to be saying that the user's machine has a Web
> > > server running on it which is reachable from the Internet by
> > > sending an http request to the redirection URI. That's
> > >
--- On Wed, 1/5/11, Marius Scurtescu wrote:
> > This seems to be saying that the user's machine has a Web
> > server running on it which is reachable from the Internet by
> > sending an http request to the redirection URI. That's
> > unrealistic because the user's machine won't typically have
> >
Mike,
Thank you very much for sending the links to the artifact binding home page and
spec. I've had a quick look, and maybe I'm missing something, but it seems
that this completely ignores the problem of authenticating the relying party.
In section 7.4.1, the RP registers on the fly just by
On Wed, Jan 5, 2011 at 2:55 PM, Francisco Corella wrote:
>
> > Native application clients can be implemented in different
> > ways based on their requirements and desired end-user
> > experience. Native application clients can:
> >
> > o Utilize the end-user authorization endpoint as described in
Torsten,
> Agreed. So what is then the benefit of the approach you
> proposed with respect to native apps?
Do you mean why didn't I just choose one of the approaches
in section 2.3 or the OAuth spec? Here is what the spec
says:
(now quoting from the spec)
> Native application clients can be i
Francisco,
Torsten,
> Another question: how does the server validate the
> identity/authenticity of the client? In other words, what
> does a malicious app prevent from using the URL and server
> of another native app?
Let me rephrase your question (correct me if I'm wrong): can
a malicious nat
Torsten,
> Another question: how does the server validate the
> identity/authenticity of the client? In other words, what
> does a malicious app prevent from using the URL and server
> of another native app?
Let me rephrase your question (correct me if I'm wrong): can
a malicious native app obtai
In the next few weeks I plan to survey existing and planned implementations of
each feature of the specification and those components without at least 3
interoperable (or compliant) implementations will be a candidate for removal
from the specification (can still be published as an extension). T
You can read about the Artifact Binding at
https://bitbucket.org/openid/ab/wiki/Home. The latest draft is at
https://bitbucket.org/openid/ab/raw/c1eaac175dc8/openid-artifact-binding-1_0.html.
Nat Sakimura is actively updating the specification as we speak,
incorporating some of the ideas from
