You can read about the Artifact Binding at
https://bitbucket.org/openid/ab/wiki/Home. The latest draft is at
https://bitbucket.org/openid/ab/raw/c1eaac175dc8/openid-artifact-binding-1_0.html.
Nat Sakimura is actively updating the specification as we speak,
incorporating some of the ideas
In the next few weeks I plan to survey existing and planned implementations of
each feature of the specification and those components without at least 3
interoperable (or compliant) implementations will be a candidate for removal
from the specification (can still be published as an extension).
Torsten,
Another question: how does the server validate the
identity/authenticity of the client? In other words, what
does a malicious app prevent from using the URL and server
of another native app?
Let me rephrase your question (correct me if I'm wrong): can
a malicious native app obtain
Francisco,
Torsten,
Another question: how does the server validate the
identity/authenticity of the client? In other words, what
does a malicious app prevent from using the URL and server
of another native app?
Let me rephrase your question (correct me if I'm wrong): can
a malicious native
Torsten,
Agreed. So what is then the benefit of the approach you
proposed with respect to native apps?
Do you mean why didn't I just choose one of the approaches
in section 2.3 or the OAuth spec? Here is what the spec
says:
(now quoting from the spec)
Native application clients can be
On Wed, Jan 5, 2011 at 2:55 PM, Francisco Corella fcore...@pomcor.com wrote:
Native application clients can be implemented in different
ways based on their requirements and desired end-user
experience. Native application clients can:
o Utilize the end-user authorization endpoint as
Mike,
Thank you very much for sending the links to the artifact binding home page and
spec. I've had a quick look, and maybe I'm missing something, but it seems
that this completely ignores the problem of authenticating the relying party.
In section 7.4.1, the RP registers on the fly just by
--- On Wed, 1/5/11, Marius Scurtescu mscurte...@google.com wrote:
This seems to be saying that the user's machine has a Web
server running on it which is reachable from the Internet by
sending an http request to the redirection URI. That's
unrealistic because the user's machine won't
On 2011-01-05, at 7:01 PM, Francisco Corella wrote:
--- On Wed, 1/5/11, Marius Scurtescu mscurte...@google.com wrote:
This seems to be saying that the user's machine has a Web
server running on it which is reachable from the Internet by
sending an http request to the redirection URI.