Dick,
> An example of a custom scheme would be what Pounce popularized on the iPhone.
> A redirect to pounce:// would load the Pounce app and pass in the URL
Thanks for the tip! I'll have to look at how custom schemes are used on iOS.
Francisco
___
On 2011-01-05, at 7:01 PM, Francisco Corella wrote:
> --- On Wed, 1/5/11, Marius Scurtescu wrote:
> > > This seems to be saying that the user's machine has a Web
> > > server running on it which is reachable from the Internet by
> > > sending an http request to the redirection URI. That's
> > >
--- On Wed, 1/5/11, Marius Scurtescu wrote:
> > This seems to be saying that the user's machine has a Web
> > server running on it which is reachable from the Internet by
> > sending an http request to the redirection URI. That's
> > unrealistic because the user's machine won't typically have
> >
On Wed, Jan 5, 2011 at 2:55 PM, Francisco Corella wrote:
>
> > Native application clients can be implemented in different
> > ways based on their requirements and desired end-user
> > experience. Native application clients can:
> >
> > o Utilize the end-user authorization endpoint as described in
Torsten,
> Agreed. So what is then the benefit of the approach you
> proposed with respect to native apps?
Do you mean why didn't I just choose one of the approaches
in section 2.3 or the OAuth spec? Here is what the spec
says:
(now quoting from the spec)
> Native application clients can be i
Francisco,
Torsten,
> Another question: how does the server validate the
> identity/authenticity of the client? In other words, what
> does a malicious app prevent from using the URL and server
> of another native app?
Let me rephrase your question (correct me if I'm wrong): can
a malicious nat
Torsten,
> Another question: how does the server validate the
> identity/authenticity of the client? In other words, what
> does a malicious app prevent from using the URL and server
> of another native app?
Let me rephrase your question (correct me if I'm wrong): can
a malicious native app obtai
-
From: tors...@lodderstedt.net
Sender: oauth-boun...@ietf.org
Date: Wed, 5 Jan 2011 06:15:23
To:
Reply-To: tors...@lodderstedt.net
Cc: ; Karen P. Lewison
Subject: Re: [OAUTH-WG] unregistered applications
___
OAuth mailing list
OAuth@ietf.org
https
ssage-
From: Francisco Corella
Date: Tue, 4 Jan 2011 17:18:33
To: Torsten Lodderstedt
Reply-To: fcore...@pomcor.com
Cc: ; Karen P. Lewison
Subject: Re: [OAUTH-WG] unregistered applications
--- On Tue, 1/4/11, Torsten Lodderstedt wrote:
> just to make sure I understood your paper correct
--- On Tue, 1/4/11, Torsten Lodderstedt wrote:
> just to make sure I understood your paper correctly: even
> native clients are required to have a backend server
> component, which receives the authorization results and
> makes it available to the native client?
Yes, a very simple one that respon
Francisco,
just to make sure I understood your paper correctly: even native clients
are required to have a backend server component, which receives the
authorization results and makes it available to the native client?
regards,
Torsten.
Hi all,
OAuth provides only weak security when used wi
--- On Wed, 12/29/10, Marius Scurtescu wrote:
...
> I don't think it adds much complexity. And for implementors it is a
> big help, much simpler to implement /.well-known/host-meta. Imagine
> asking a large website to add a few HTML tags to every single request
> to / as opposed to adding a specia
On Thu, Dec 23, 2010 at 9:38 PM, Francisco Corella wrote:
> Thank you very much for your detailed reading of the paper
> and your very useful comments. I've revised the paper based
> on your comments and put a new version online, with an
> acknowledgment of your contribution.
I'm glad you found
Hi Marius,
Thank you very much for your detailed reading of the paper
and your very useful comments. I've revised the paper based
on your comments and put a new version online, with an
acknowledgment of your contribution.
> PKAuth seems similar to OAuth 2, I think it would help if you used the s
Hi Francisco,
PKAuth seems similar to OAuth 2, I think it would help if you used the same
terminology:
- application => client
- social site => authorization server
- client => end user
- reference code => authorization code
The paper claims that users do not know how to interpret domain names, w
Hi all,
OAuth provides only weak security when used with
unregistered applications. OTOH compulsory registration is
a bad idea: imagine a situation where a social site becomes
dominant, social login via that site becomes the de facto
authentication standard on the Web, every application has to
re
16 matches
Mail list logo
