Hi All,
We might have a requirement to support a case where AS returns an access
token directly to a human user, with the user subsequently configuring a
confidential client with this token. The actual client is not capable of
supporting a (more dynamic) code flow at this stage.
So it is nea
Hi All,
The example at [1] suggests that clients working with a refresh grant
authenticate as usual when they need to use a grant.
The section 3.3 in the threat model document [2] says that
"as long as the confidentiality of the particular token can be
ensured by the client, a refresh t
If you are interested in how others have done a similar flow, you could
look at how smart TVs supporting Netflix and Amazon are authorized.
On Fri, Mar 6, 2015 at 9:22 AM, Sergey Beryozkin
wrote:
> Hi All,
>
> We might have a requirement to support a case where AS returns an access
> token direc
All you’re really doing here is having a more manual and less automated portion
for part of the process. You’d want to do this using a registered redirect URI
that hosts the HTML page, and then you’d need a control in the app itself where
the user could interact.
I would personally recommend us
Hi all,
does anyone have free cycles to review
draft-ietf-tram-turn-third-party-authz, which happens to use OAuth 2.0
in a way that is similar to the proof-of-possession work with a new
access token format.
Ciao
Hannes
Forwarded Message
Subject: [saag] tram draft - anyone willi
Thanks for a reference to such applications...
Sergey
On 06/03/15 18:07, Dick Hardt wrote:
If you are interested in how others have done a similar flow, you could
look at how smart TVs supporting Netflix and Amazon are authorized.
On Fri, Mar 6, 2015 at 9:22 AM, Sergey Beryozkin mailto:sberyoz.
Hi
On 06/03/15 18:28, Justin Richer wrote:
All you’re really doing here is having a more manual and less automated portion
for part of the process. You’d want to do this using a registered redirect URI
that hosts the HTML page, and then you’d need a control in the app itself where
the user cou
> On Mar 6, 2015, at 5:31 PM, Sergey Beryozkin wrote:
>
> Hi
> On 06/03/15 18:28, Justin Richer wrote:
>> All you’re really doing here is having a more manual and less automated
>> portion for part of the process. You’d want to do this using a registered
>> redirect URI that hosts the HTML pag
Hi Justin,
Thanks for typing it all, appreciated... I guess the idea here is
basically introduce a little web app 'intermediary' that will act as if
it were a client except that it will show whatever it receives back from
AS to the user.
So we still have a common processing path at AS, as if i
