Hi Michiel,
I'm fine with both suggestions (also mentioning CORS or not mentioning
JSONP). What do my co-authors and other WG members think?
regards,
Torsten.
Am 29.05.2012 14:10, schrieb Michiel de Jong:
Hi Torsten,
No, it should indeed work fine with CORS. CORS is supported by IE8+,
FF, Chrome, Safari and Opera12+ (with limited error handling and
limited verb support in IE8 and IE9, but with POST you should be safe
afaik).
Note that if you want to support this in combination with implicit
grant flow (unhosted html5 apps), then you need CORS.
Which made me wonder why you are mentioning JSONP at all? Mentioning
JSONP as a 'MAY' but not mentioning CORS could send people in the
wrong direction IMO. So I would rename the section 'JSONP' to 'CORS
and JSONP', or in general, 'Cross-Origin support', and then start with
a sentence like:
"The revokation end-point SHOULD support CORS if it is aimed at use in
combination with the implicit-grant flow. For other flows, it is still
recommended(?) to support CORS. In addition, for interop with legacy
user-agents, it MAY offer JSONP. Clients should be aware that when
relying on JSONP, the revokation end-point MAY ;) inject malicious
code into the client."
You can tell i don't speak spec lingo, but i hope i'm sort of getting
my point across, that IMO, CORS is better here than JSONP.
Or: simply not mention JSONP at all. Would that be an option?
Cheers,
Michiel
On Sun, May 27, 2012 at 3:05 PM, Torsten Lodderstedt
<tors...@lodderstedt.net> wrote:
Hi Michiel,
shouldn't the revocation POST request work fine with CORS? Or is there
something we need to specify in order to make it work?
best regards,
Torsten.
Am 27.05.2012 13:20, schrieb Michiel de Jong:
awesome! just that - first thing that catches the eye right when you
skim the table of contents is:
why did you use JSONP instead of its CORS? You can read more about CORS
here:
http://enable-cors.org/
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#CORS_relationship_to_JSONP
On Sun, May 27, 2012 at 10:41 AM,<internet-dra...@ietf.org> wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the Web Authorization Protocol
Working Group of the IETF.
Title : Token Revocation
Author(s) : Torsten Lodderstedt
Stefanie Dronia
Marius Scurtescu
Filename : draft-ietf-oauth-revocation-00.txt
Pages : 6
Date : 2012-05-26
This draft proposes an additional endpoint for OAuth authorization
servers for revoking tokens.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-oauth-revocation-00.txt
The IETF datatracker page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
