Re: [OAUTH-WG] TLS is needed for redirecting back to the client

2011-01-05 Thread Mike Jones
You can read about the Artifact Binding at https://bitbucket.org/openid/ab/wiki/Home. The latest draft is at https://bitbucket.org/openid/ab/raw/c1eaac175dc8/openid-artifact-binding-1_0.html. Nat Sakimura is actively updating the specification as we speak, incorporating some of the ideas

[OAUTH-WG] Final cuts and 3 interoperable implementations

2011-01-05 Thread Eran Hammer-Lahav
In the next few weeks I plan to survey existing and planned implementations of each feature of the specification and those components without at least 3 interoperable (or compliant) implementations will be a candidate for removal from the specification (can still be published as an extension).

Re: [OAUTH-WG] unregistered applications

2011-01-05 Thread Francisco Corella
Torsten, Another question: how does the server validate the identity/authenticity of the client? In other words, what does a malicious app prevent from using the URL and server of another native app? Let me rephrase your question (correct me if I'm wrong): can a malicious native app obtain

Re: [OAUTH-WG] unregistered applications

2011-01-05 Thread Torsten Lodderstedt
Francisco, Torsten, Another question: how does the server validate the identity/authenticity of the client? In other words, what does a malicious app prevent from using the URL and server of another native app? Let me rephrase your question (correct me if I'm wrong): can a malicious native

Re: [OAUTH-WG] unregistered applications

2011-01-05 Thread Francisco Corella
Torsten, Agreed. So what is then the benefit of the approach you proposed with respect to native apps? Do you mean why didn't I just choose one of the approaches in section 2.3 or the OAuth spec?  Here is what the spec says: (now quoting from the spec) Native application clients can be

Re: [OAUTH-WG] unregistered applications

2011-01-05 Thread Marius Scurtescu
On Wed, Jan 5, 2011 at 2:55 PM, Francisco Corella fcore...@pomcor.com wrote: Native application clients can be implemented in different ways based on their requirements and desired end-user experience.  Native application clients can: o Utilize the end-user authorization endpoint as

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

2011-01-05 Thread Francisco Corella
Mike, Thank you very much for sending the links to the artifact binding home page and spec.  I've had a quick look, and maybe I'm missing something, but it seems that this completely ignores the problem of authenticating the relying party.  In section 7.4.1, the RP registers on the fly just by

Re: [OAUTH-WG] unregistered applications

2011-01-05 Thread Francisco Corella
--- On Wed, 1/5/11, Marius Scurtescu mscurte...@google.com wrote: This seems to be saying that the user's machine has a Web server running on it which is reachable from the Internet by sending an http request to the redirection URI.  That's unrealistic because the user's machine won't

Re: [OAUTH-WG] unregistered applications

2011-01-05 Thread Dick Hardt
On 2011-01-05, at 7:01 PM, Francisco Corella wrote: --- On Wed, 1/5/11, Marius Scurtescu mscurte...@google.com wrote: This seems to be saying that the user's machine has a Web server running on it which is reachable from the Internet by sending an http request to the redirection URI.