Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-11 Thread Marius Scurtescu
On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten t.lodderst...@telekom.de wrote: Hi Marius, wrt auto-approval: how is the authorization server supposed to validated the client's identity in a reliable way? Otherwise another application (using the id of the legitimate client) could

Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-11 Thread Breno
: Dienstag, 10. Mai 2011 21:15 An: Doug Tangren Cc: oauth@ietf.org Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience On Tue, May 10, 2011 at 6:25 AM, Doug Tangren d.tang...@gmail.com wrote: Hi, I'm implementing an authorization and resource server at worked based

Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-11 Thread Lodderstedt, Torsten
Nachricht- Von: Marius Scurtescu [mailto:mscurte...@google.com] Gesendet: Mittwoch, 11. Mai 2011 20:28 An: Lodderstedt, Torsten Cc: oauth@ietf.org; Doug Tangren Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten t.lodderst

Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-11 Thread Breno
@ietf.org; Doug Tangren Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten t.lodderst...@telekom.de wrote: Hi Marius, wrt auto-approval: how is the authorization server supposed to validated the client's identity

Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-11 Thread Marius Scurtescu
On Wed, May 11, 2011 at 11:44 AM, Lodderstedt, Torsten t.lodderst...@telekom.de wrote: How shall the authorization server ensure that the calling client is a user-agent based app (i.e. a native app could impersonate an user-agent based app)? Through registration and redirect URI validation.

Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-11 Thread Breno
On Wed, May 11, 2011 at 3:26 PM, Lodderstedt, Torsten t.lodderst...@telekom.de wrote: Through registration and redirect URI validation. A native app does not have to impersonate, they can just register a user-agent client. Everything boils down to the user trusting the app. As Breno

[OAUTH-WG] oauth2 implicit flow user experience

2011-05-10 Thread Doug Tangren
Hi, I'm implementing an authorization and resource server at worked based on the oauth2 draft 15. A question arose about the user experience of users of an implicit client flow. I've set a one hour expiry on access tokens but now the question is should the client be forced to re-prompt the user

Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-10 Thread Marius Scurtescu
On Tue, May 10, 2011 at 6:25 AM, Doug Tangren d.tang...@gmail.com wrote: Hi, I'm implementing an authorization and resource server at worked based on the oauth2 draft 15. A question arose about the user experience of users of an implicit client flow.  I've set a one hour expiry on access

Re: [OAUTH-WG] oauth2 implicit flow user experience

2011-05-10 Thread Lodderstedt, Torsten
: Dienstag, 10. Mai 2011 21:15 An: Doug Tangren Cc: oauth@ietf.org Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience On Tue, May 10, 2011 at 6:25 AM, Doug Tangren d.tang...@gmail.com wrote: Hi, I'm implementing an authorization and resource server at worked based on the oauth2