Thanks for all the feedback. -- -jim Jim Willeke
On Tue, Oct 10, 2017 at 11:02 AM, John Bradley <ve7...@ve7jtb.com> wrote: > urn:ietf:wg:oauth:2.0:oob is a google thing that is not part of the OAuth > 2 specification. > > I think it was mostly a windows thing. > > It is not a real redirect URI it is used as a flag to the authorization > server to have the result returned “Out Of Band” and the user cut and paste > the token. > > On windows applications could snoop the title bars of other apps so > programatically retrieve the token value from the title bar. > > I don’t really want to put effort into expanding all the reasons this is > not secure. > > I don’t honestly know what would happen if you sent that redirect URI to a > non Google AS probably nothing good. > It is not part of the OAuth specification and not something people should > use without having a good reason and understanding the security > implications. > > William and I documented several ways to impliment native applications on > OSX and Windows in RFC8252. > > On windows you are really best off using a UWP app and the native token > broker with the code flow. > > Documentation > https://developers.google.com/api-client-library/python/auth/installed-app > > This value signals to the Google Authorization Server that the > authorization code should be returned in the title bar of the browser, with > the page text prompting the user to copy the code and paste it in the > application. This is useful when the client (such as a Windows application) > cannot listen on an HTTP port without significant client configuration. > > When you use this value, your application can then detect that the page > has loaded, and can read the title of the HTML page to obtain the > authorization code. It is then up to your application to close the browser > window if you want to ensure that the user never sees the page that > contains the authorization code. The mechanism for doing this varies from > platform to platform. > > If your platform doesn't allow you to detect that the page has loaded or > read the title of the page, you can have the user paste the code back to > your application, as prompted by the text in the confirmation page that the > OAuth 2.0 server generates. > > John B. > > On Oct 10, 2017, at 8:22 AM, Jim Willeke <j...@willeke.com> wrote: > > Wondering if you could help with Questions on urn:ietf:wg:oauth:2.0:oob as > it appears to be an almost common usage, but no IETF documentation or > registration that we can find on the defined usage. > > This has come up on several occasions. > > - https://stackoverflow.com/q/46643795/88122 > - http://lists.jboss.org/pipermail/keycloak-dev/2014-May/001814.html > - https://github.com/doorkeeper-gem/doorkeeper/issues/514 > - https://www.ietf.org/mail-archive/web/oauth/current/msg09974.html > > > Should it be registered or defined? > (or am I missing something?) > > With best regards, > > -- > -jim > Jim Willeke > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth