=...@san Francisco via iPhone
On 2009/04/26, at 5:38, John Kemp wrote:
>
> On Apr 26, 2009, at 12:32 AM, Nat Sakimura wrote:
>
>>
>> I agree that "2. test(B==C) , i.e., verify that the user at B is the
>> same user at C" is
>> not the same as "
!
=nat
On Wed, 10 Jun 2009 08:44:06 -0700 (PDT), Zhihong
wrote:
>
> SimpleSign had the same key rotation issue. Their solution is to add
> another Based-64 encoded KeyInfo. That's problematic for us because
> KeyInfo is part of XMLDSig and it's not trivial to process with
ifact binding would be preferable over the
current "GET/POST" binding.
=nat
On Sat, Apr 11, 2009 at 11:14 AM, Allen Tom wrote:
> The problem with having the client directly submit the username/password to
> the SP is that it requires OAuth Service Providers to have passwords for
&g
r interaction impact,
assuming OpenID AuthN is safe enough. For example, make
verified_identifier a part of tokens. Then, user AuthN at the
SP can be done automagically by browser redirect.
=nat
On Sat, Apr 25, 2009 at 8:26 PM, pkeane wrote:
>
> Sorry:
>
> Almost all of the proposed
hat we encountered,
the victim will be asked to grant permission to C:A, which, he
probably would not.
=nat
>
> And yes, making request tokens one-time only is a MUST, IMHO.
>
> --
> Dossy Shiobara | do...@panoptic.com | http://dossy.org/
> Panoptic Computer Networ
Consumer based on the SP's user record.
PIN, like you propose, is one way of doing it, and identity federation
is another.
=nat
On Tue, Apr 28, 2009 at 11:40 PM, Peter Keane wrote:
>
> On Tue, Apr 28, 2009 at 9:32 AM, Dossy Shiobara wrote:
>>
>> On 4/28/09 8:41 AM, Hubert L
correlation problem
(privacy), but since S cannot learn too much activity of V at C, it
probably would not be that bad.
And, yes. This is not a technical approach, but legal and social
approach, but is valid IMHO.
=nat
On Wed, Apr 29, 2009 at 11:01 AM, George Fletcher wrote:
>
> Nat Sakimura
ut wait: this policy will not pass the Japanese
Privacy Law. The use purpose and place is not specific enough to be legal.
=nat
>> The signed callback approach only closes the security problem we face
>> *right now* if and only if ALL consumers maintain perfect secrecy of the
>> con
On Thu, Apr 30, 2009 at 7:05 AM, Blaine Cook wrote:
>
> On Wed, Apr 29, 2009 at 3:46 PM, Nat Sakimura wrote:
>>
>> The other approach is to make it clear that OAuth is Grant (S:V:Data to C:*)
>> so that the users will be fully aware of the consequence. That will ke
uld the community feel that this is simple enough?
I would appreciate your insight/opinion/input into this matter.
Best,
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Gro
So it has moved on to IETF from oauth.org.
Google, Facebook among others have been implementing OAuth 2.0 various
revisions to this date.
OAuth 2.0 in IETF is near its completion.
Best,
Nat
On Tue, Mar 20, 2012 at 4:16 AM, SunboX wrote:
> Last Blog-Post on oauth.net is from may 2009. All
Hi Steve,
Actually, the OAuth 2.0 Core and Bearer specs were approved by IESG to be
sent to RFC Editor as of today.
That means, it is essentially done.
Nat
On Wed, Aug 1, 2012 at 3:02 PM, Steven WIllmott wrote:
> Hi Hannes,
>
> Thanks for your answer - I can definitely under
There is one glitch to be sort out: the mime type for form encoding is not
IANA registered. It should be registered by W3C.
However, I expect it to be sort out pretty quickly.
Hannes, do you have any comment?
Nat
On Thu, Aug 2, 2012 at 10:55 AM, Steven WIllmott wrote:
> Hi Nat,
>
Use OpenID Connect. It is a profile of OAuth that does SSO.
Google, Microsoft, Salesforce, AOL, etc. have announced the support for it.
Some have already deployed the draft version of it.
Do not create your own.
Nat
2013/3/5 Brice Fraboulet
> Hi Jolly,
>
> OAuth is used to make dele
ally appreciate any help or pointers on this?
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "OAuth" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to oauth+unsubscr...
Yes, you can.
=nat via iPhone
Jun 4, 2013 2:41、Giri Guntipalli のメッセージ:
Hi OAuth scope can include method also? i would like to define scope which
includes few of the resource for only GET method others for GET and PUT
etc..
OAUTH spec only defines format of the scope name, configuration of
eciate all
>> the help provide.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "OAuth" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to oauth+unsubscr...@googlegroups.com.
&g
To unsubscribe from this group and stop receiving emails from it, send an
> email to oauth+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
--
You received t
That can be interesting.
2014-05-22 10:47 GMT+09:00 Fajar Ardian :
> Thanks, Nat.
>
> I am thinking of adding a new flow to OAuth 2.0 protocol. After the web
> application sends the tweet to twitter, twitter returns a response saying
> that it will process the request only
esource
> server enforces single use on?
>
> What I'm suggesting is that perhaps the use case could be satisfied with
> existing spec flows and bespoke use of scope fields, with single use access
> tokens.
>
>
> - Reply message -
> From: "Nat Sakimura&quo
://tools.ietf.org/html/draft-sakimura-oauth-meta-03
Needless to say, OAuth can be used to protect RESTful service after it has
gotten the tokens. That's what it was designed for.
My 2c.
Nat
2014-07-09 7:42 GMT+09:00 Jørn Wildt :
> Could you please elaborate a bit on that question? Its a
Thanks Dick.
OIDF is also trying to write a white paper why in-app browser for this purpose
is a bad idea.
=nat via iPhone
2015/05/09 4:28、Dick Hardt のメッセージ:
> Glad to know I was not missing something.
>
> I explained all the logic in my first response to the reviewer. Next respon
I wonder how callback parameters are handed back to the calling app.
Nat
2015年6月9日火曜日、Leah Culverさんは書きました:
> This is the best news I've heard all year (if it does work well for OAuth).
>
> On Mon, Jun 8, 2015 at 3:16 PM, Aaron Parecki > wrote:
>
>> Apple announced
who can use it. It is still in a
draft stage.
Nat from iPhone
2015年6月10日水曜日、Callum Hopkinsさんは書きました:
> I have my app setup as described in this
> <https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps>
> article you shared under "Web Server Apps
> &l
d to the Google Groups
> "OAuth" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to oauth+unsubscr...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foun
25 matches
Mail list logo
