Re: [OAUTH-WG] SPA applications best practice

2017-02-27 Thread Samuel Erdtman
Hi Jim, If there is enough information I think such RFC could be interesting in the same way as "OAuth 2.0 for Native Apps" ( https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07) is for native app. To see if the group also thinks so I would suggest to create a personal draft and ask it t

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-04.txt

2017-02-27 Thread William Denniss
My coauthors and I posted draft 04 of the OAuth 2.0 Device Flow for Browserless and Input Constrained Devices draft today. Key changes: 1. Title updated to reflect specificity of devices that use this flow. 2. User interaction section expanded. 3. OAuth 2.0 Metadata

[OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-04.txt

2017-02-27 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol of the IETF. Title : OAuth 2.0 Device Flow for Browserless and Input Constrained Devices Authors : William Denniss

Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

2017-02-27 Thread Samuel Erdtman
Thanks for the replies. If there are no formal guidelines from IETF I think we should just proceed it is a good and informative spec, it was just to me it felt slightly of. Based on the conversation I have no objections taking this draft to RFC. //Samuel On Wed, Feb 22, 2017 at 12:09 AM, Justin

[OAUTH-WG] SPA applications best practice

2017-02-27 Thread Jim Manico
I've been collecting opinions about the best OAuth2 workflows for SPA applications and have come up with the following basic recommendations. 1) The more secure flow is going to be authorization code. Keep access tokens out of the DOM/Browser history. 2) Implicit flows are your only choice if y

[OAUTH-WG] review draft-ietf-oauth-native-apps-07

2017-02-27 Thread Sebastian.Ebling
Hi all, I have a question that relates to section B.2. Android Implementation Details. I understand this as a working group best practice. Unfortunately this does not necessarily meet the Google instruction for Android. There is a lot of documentation out there pointing to the Android Account M

[OAUTH-WG] review draft-ietf-oauth-native-apps-07

2017-02-27 Thread Sebastian.Ebling
Hi, there is a typo in B.4. Search for "are are" and replace it with "are". Best regards Sebastian -- Sebastian Ebling / sebastian.ebl...@telekom.de / +49 6151 5838207 Deutsche Telekom AG, Technology Enabling Platforms (PI-TEP) ___ OAuth mailing li