Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-07-01 Thread Torsten Lodderstedt
org]> *On Behalf Of *Lodderstedt, Torsten *Sent:* Thursday, June 30, 2011 1:10 AM *To:* George Fletcher; oauth@ietf.org <mailto:oauth@ietf.org> *Subject:* Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback No exactly the topic but also related to this grant type There

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-30 Thread Eran Hammer-Lahav
. Von: Eran Hammer-Lahav [mailto:e...@hueniverse.com]<mailto:[mailto:e...@hueniverse.com]> Gesendet: Donnerstag, 30. Juni 2011 10:48 An: Lodderstedt, Torsten; George Fletcher; oauth@ietf.org<mailto:oauth@ietf.org> Betreff: RE: [OAUTH-WG] Resource Owner Password Credentials question/feedback I

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-30 Thread Lodderstedt, Torsten
auth@ietf.org Betreff: RE: [OAUTH-WG] Resource Owner Password Credentials question/feedback Issuing a refresh token is more a function of the access grant duration than anything else. The client can always throw away tokens when it is done of if the user doesn't want to "stay connect

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-30 Thread Eran Hammer-Lahav
server decides (based on user approval and policy). EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Lodderstedt, Torsten Sent: Thursday, June 30, 2011 1:10 AM To: George Fletcher; oauth@ietf.org Subject: Re: [OAUTH-WG] Resource Owner Password Credentials questi

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-30 Thread Lodderstedt, Torsten
No exactly the topic but also related to this grant type There is currently no parameter the client could use to explicitly request a refresh token. So server-policies based on user, client and scope are the only mean to decide whether a refresh token is issued or not. I consider this to limit

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-29 Thread Lodderstedt, Torsten
> -Ursprüngliche Nachricht- > Von: Marcus Better [mailto:mar...@better.se] > Gesendet: Mittwoch, 29. Juni 2011 11:58 > An: oauth@ietf.org > Betreff: Re: [OAUTH-WG] Resource Owner Password Credentials > question/feedback > > -BEGIN PGP SIGNED MESSAGE- >

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-29 Thread Marcus Better
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2011-06-28 18:05, Brian Campbell wrote: > invalid_grant seems like the appropriate error as the username and > password are the grant in the context of the Resource Owner Password > Credentials flow/grant type. What should the HTTP status code be?

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-28 Thread Eran Hammer-Lahav
Yep. Invalid grant is the right error code. EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Brian Campbell > Sent: Tuesday, June 28, 2011 9:05 AM > To: George Fletcher > Cc: oauth@ietf.org > Subject: Re: [OAU

Re: [OAUTH-WG] Resource Owner Password Credentials question/feedback

2011-06-28 Thread Brian Campbell
invalid_grant seems like the appropriate error as the username and password are the grant in the context of the Resource Owner Password Credentials flow/grant type. On Tue, Jun 28, 2011 at 9:47 AM, George Fletcher wrote: > > I'm working on spec'ing out a use of the Resource Owner Password Credent