Re: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?

Wed, 27 Jan 2016 09:11:59 -0800 

Hi George
Thanks. I think I'll need to spend more time on thinking about the way it has to be implemented, but I guess one thing I realize is that using only access tokens as records for this purpose is not ideal/generic. 


That said, it is not clear to me that a per-instance level consent 
makes sense only when the dynamic registration is used.



Suppose we have a statically registered client, with the client id 
shared between 100 devices or even confidential clients. I'm actually 
not sure how realistic it is that the same user works with more than one 
device sharing the same id, but assuming it is possible sometimes, and 
further, with incremental authentication in place,



we can have a situation where while working on device1 a user has 
approved 'a' while on device2 - scope "b", with both devices sharing the 
same client id.


May be I'm making it too complex :-)

Thanks, Sergey

On 27/01/16 16:53, George Fletcher wrote:

My recommendation, like the others, is to store consent by
client_id:user and then try and leverage dynamic client registration if
instance level consent is needed.

On 1/27/16 11:43 AM, George Fletcher wrote:

Yes, I was thinking mostly of "native apps"... though you bring up a
good point. It would be great if "installable" web apps could do
dynamic client registration:)  I suppose for a "public" client that is
loaded onto a device, the "installation" process could obtain a new
client_id for that instance. Cookies might work, or have the app
generate a unique identifier and use that in conjunction with the
client_id?

Thanks,
George

On 1/27/16 11:07 AM, Thomas Broyer wrote:



On Wed, Jan 27, 2016 at 1:54 PM George Fletcher <gffle...@aol.com
<mailto:gffle...@aol.com>> wrote:

    The difference might be whether you want to store the scope
    consent by client "instance" vs client_id application "class".


Correct me if I'm wrong but this only makes sense for "native apps",
not for web apps, right?
(of course, now with "installable web apps" –e.g. progressive web
apps–, lines get blurry; any suggestion how you'd do it then? cookies?)



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




























					Reply via email to