Re: [OAUTH-WG] oauth2 implicit flow user experience

On Wed, May 11, 2011 at 3:26 PM, Lodderstedt, Torsten < t.lodderst...@telekom.de> wrote: > > > > Through registration and redirect URI validation. A native app does > > not have to impersonate, they can just register a user-agent client. > > Everything boils down to the user trusting the app. As B

Re: [OAUTH-WG] oauth2 implicit flow user experience

> > Through registration and redirect URI validation. A native app does > not have to impersonate, they can just register a user-agent client. > Everything boils down to the user trusting the app. As Breno mentions, > nothing the spec can do to help with that. It could recommend the authorization

Re: [OAUTH-WG] oauth2 implicit flow user experience

On Wed, May 11, 2011 at 11:44 AM, Lodderstedt, Torsten wrote: > How shall the authorization server ensure that the calling client is a > user-agent based app (i.e. a native app could impersonate an user-agent based > app)? Through registration and redirect URI validation. A native app does not

Re: [OAUTH-WG] oauth2 implicit flow user experience

esendet: Mittwoch, 11. Mai 2011 20:28 > > An: Lodderstedt, Torsten > > Cc: oauth@ietf.org; Doug Tangren > > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience > > > > On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten > > wrote: > > > Hi Marius, &

Re: [OAUTH-WG] oauth2 implicit flow user experience

che Nachricht- > Von: Marius Scurtescu [mailto:mscurte...@google.com] > Gesendet: Mittwoch, 11. Mai 2011 20:28 > An: Lodderstedt, Torsten > Cc: oauth@ietf.org; Doug Tangren > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience > > On Tue, May 10, 2011 at 4:43 PM, Lodde

Re: [OAUTH-WG] oauth2 implicit flow user experience

. >> >> > -Ursprüngliche Nachricht- >> > Von: Marius Scurtescu [mailto:mscurte...@google.com] >> > Gesendet: Dienstag, 10. Mai 2011 21:15 >> > An: Doug Tangren >> > Cc: oauth@ietf.org >> > Betreff: Re: [OAUTH-WG] oauth2 implicit fl

Re: [OAUTH-WG] oauth2 implicit flow user experience

-Ursprüngliche Nachricht- > > Von: Marius Scurtescu [mailto:mscurte...@google.com] > > Gesendet: Dienstag, 10. Mai 2011 21:15 > > An: Doug Tangren > > Cc: oauth@ietf.org > > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience > > > > On Tue, May 1

Re: [OAUTH-WG] oauth2 implicit flow user experience

On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten wrote: > Hi Marius, > > wrt "auto-approval": how is the authorization server supposed to validated > the client's identity in a reliable way? Otherwise another application (using > the id of the legitimate client) could abuse the authorizatio

Re: [OAUTH-WG] oauth2 implicit flow user experience

ilto:mscurte...@google.com] > Gesendet: Dienstag, 10. Mai 2011 21:15 > An: Doug Tangren > Cc: oauth@ietf.org > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience > > On Tue, May 10, 2011 at 6:25 AM, Doug Tangren > wrote: > > Hi, > > > > I'm impl

Re: [OAUTH-WG] oauth2 implicit flow user experience

On Tue, May 10, 2011 at 6:25 AM, Doug Tangren wrote: > Hi, > > I'm implementing an authorization and resource server at worked based on the > oauth2 draft 15. A question arose about the user experience of users of an > implicit client flow.  I've set a one hour expiry on access tokens but now > th

[OAUTH-WG] oauth2 implicit flow user experience

Hi, I'm implementing an authorization and resource server at worked based on the oauth2 draft 15. A question arose about the user experience of users of an implicit client flow. I've set a one hour expiry on access tokens but now the question is should the client be forced to re-prompt the user f