Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Paul Madsen Sent: Tuesday, August 07, 2012 8:07 AM To: Jérôme LELEU Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ? there are legitimate (non consumer centric) applications of OAuth where

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

there are legitimate (non consumer centric) applications of OAuth where such explicit consent gathering is not necessary On 8/3/12 9:23 AM, Jérôme LELEU wrote: Said like that, I feel totally stupid... but it's not totally without their consent, they previously clicked on the "Authenticate at th

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

I agree with the idea that we need to collect and document some best practices around the UX of authorization, especially in the case where it's the end user making the determination. There have been a few chirps about this in the past, but I haven't seen anyone really stand something up. The O

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

Hi, Thank you all for your answers. I read section 1.3.1 : "the authorization server authenticates the resource owner and obtains authorization", the "obtains authorization" implies the confirmation screen I talked about. But it's not only about UI. There are some behaviour issues remaining : is

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

On Fri, Aug 3, 2012 at 3:19 PM, Hannes Tschofenig wrote: > Hi Jerome, > > you raise a good and important point. > > A core part of the OAuth specification is to obtain the consent of the > resource owner. If you look at Section 1.3 of > http://tools.ietf.org/html/draft-ietf-oauth-v2-31 you see th

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

Hi Jerome, you raise a good and important point. A core part of the OAuth specification is to obtain the consent of the resource owner. If you look at Section 1.3 of http://tools.ietf.org/html/draft-ietf-oauth-v2-31 you see the different authorization grants that are supported. Except for th

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

The approval screen is a detail of the UX that the protocol itself doesn't address, since there are several instances where an approval screen does and does not make sense. If you're doing a "trust on first use" (TOFU) scenario where the resource owner is the same as the end user (remember, th

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

In OAuth 2 the A is Authorization, not Authentication. Not all flows support user interaction, so it can't be a MUST present dialog, as that may not be possible. For flows such as code and implicit the Authorization server should present the user with a choice of allowing the requested scopes.

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

If you look at Google's API, they have a parameter named approval_prompt which can be "force" or "auto": Description: *Indicates if the user should be re-prompted for consent. The default is auto, so a given user should only see the cons

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

Said like that, I feel totally stupid... but it's not totally without their consent, they previously clicked on the "Authenticate at the OAuth provider" link... I understand that it's mandatory. Thanks, Jérôme 2012/8/3 Doug Tangren > > What are the security concerns about not having such "Al

Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ?

> What are the security concerns about not having such "Allow / disallow" > screen ? > Obtaining access to a user's data without their consent? ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Is "Allow / disallow" screen mandatory ?

Hi, In the OAuth 2.0 spec, I don't see any mention of the "Allow / disallow" screen (just after the user is logged in). However, most of the OAuth providers I know (Facebook, Google, Twitter...) have such a "allow / disallow" screen. Did I miss something in the spec ? What are the security conce