Hi folks, After the previous IETF meeting, we got some feedback that the labels we chose to describe the three variants of cross device flows could be a little more descriptive. After some discussion between Daniel and myself, we would like to propose the following changes in how we label and describe the different of cross-device flow patterns to which the recommendations in the BCP apply.
User transferred -> User-Transferred Session Data Client transferred -> Backchannel Transferred Session Hybrid -> User-Transferred Authorization Data Here are the descriptions for the new proposed labels 1. User-Transferred Session Data Pattern: In the first variant, the user initiates the authorization process with the authorization server by copying information from the initiating device to the authorization device, before authorizing an action. By transferring the data from the Initiating Device to the Authorization Device, the user transfers the authorization session. For example the user may read a code displayed on the Initiating Device and enter it on the Authorization Device, or they may scan a QR code displayed in the Initiating Device with the Authorization Device. 2. Backchannel-Transferred Session Pattern: In the second variant, the OAuth client on the Initiating Device is responsible for transferring the session and initiating authorization on the Authorization Device via a backchannel with the Authorization Server. For example the user may attempt an online purchase on an Initiating Device (e.g. a personal computer) and receive an authorization request on their Authentication Device (e.g. mobile phone). 3. User-Transferred Authorization Data: In the third variant, the OAuth client on the Initiating Device triggers the authorization request via a backchannel with the Authorization Server. Authorization data (e.g. an access code) is displayed on the Authorization Device, which the user enters on the Initiating Device. For example the user may attempt to access data in an enterprise application and receive an authorization code on their Authentication Device (e.g. mobile phone) that they enter on Initiating Device. For reference, here are the current labels and their definitions for the three variants (from section 2 of draft-ietf-oauth-cross-device-security-01 - Cross-Device Flows: Security Best Current Practice<https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/01/>): 1. User transferred: In the first variant, the user initiates the authorization process with the authorization server by copying information from the initiating device to the authorization device, before authorizing an action. For example the user may read a code displayed on the initiating device and enter it on the authorization device, or they may scan a QR code displayed in the initiating device with the authorization device. 2. Client transferred: In the second variant, the OAuth client on the initiating device is responsible for initiating authorization on the authorization device via a backchannel with the authorization server. 3. Hybrid: In the third variant, the OAuth client on the initiating device triggers the authorization request via a backchannel with the Authorization Server. An access code is displayed on the Authorization device, which the user enters on the initiating device. Are these new labels clearer than the previous ones or do you see some ways we can improve it further? Cheers Pieter
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
