Re: [OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Eran Hammer-Lahav
What triggers this flow? If you are using the authorization endpoint with a different response_type, it would be helpful if you shared that with the wg as currently, that's simply not allowed (the values are not extensible). I am going to change that in -17, but based on the requirement presente

Re: [OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Eran Hammer-Lahav
sday, July 06, 2011 1:08 PM To: oauth@ietf.org Subject: [OAUTH-WG] Concerns about Implicit Grant flow Hello! Foursquare recently encountered a scary example of a client accidentally leaking user tokens as part of the implicit grant flow. It turns out the official "Tweet this" button

Re: [OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Eran Hammer-Lahav
.@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Eaton Sent: Wednesday, July 06, 2011 1:42 PM To: Justin Richer Cc: Kushal Dave; oauth@ietf.org Subject: Re: [OAUTH-WG] Concerns about Implicit Grant flow On Wed, Jul 6, 2011 at 1:31 PM, Justin Richer mailto:jric...@mitre.org>> wrot

Re: [OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Justin Richer
> > - give out authorization codes via the user-agent flow. We've > implemented a variation of this based on HTML5 and window.postMessage. > Caveat: This will run you off-spec. > - use a fixed callback URL for the user-agent flow. Make sure that > fixed callback URL does not run random bits o

Re: [OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Brian Eaton
On Wed, Jul 6, 2011 at 1:31 PM, Justin Richer wrote: > You can still use the access code (web server) flow within a JavaScript > application, just without a reliable client secret. The point of the > "implicit" flow was to save a roundtrip to the server for light clients > with limited lifespans,

Re: [OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Karim
Correct me if i'm wrong, this case is handled by the nonce and time-stamp values ? On 6 July 2011 22:31, Justin Richer wrote: > You can still use the access code (web server) flow within a JavaScript > application, just without a reliable client secret. The point of the > "implicit" flow was to

Re: [OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Justin Richer
You can still use the access code (web server) flow within a JavaScript application, just without a reliable client secret. The point of the "implicit" flow was to save a roundtrip to the server for light clients with limited lifespans, and it's a tradeoff between security, ease of implementation,

[OAUTH-WG] Concerns about Implicit Grant flow

2011-07-06 Thread Kushal Dave
Hello! Foursquare recently encountered a scary example of a client accidentally leaking user tokens as part of the implicit grant flow. It turns out the official "Tweet this" button provided by twitter grabs the URL, including fragment, at the time of page load, before the client's Javascript has