Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread David Recordon
I think long polling came up at the face to face and we decided to not fundamentally change how the flow works until we have implementation experience. I'm fine with using 503 since it's not really a fundamental change. --David On Wed, Jun 9, 2010 at 4:51 PM, Dirk Balfanz wrote: > On Wed, Jun

Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread Dirk Balfanz
On Wed, Jun 9, 2010 at 12:17 AM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > using mechanisms provided by the HTTP protocol sound reasonable to me. > > I see two questions: > > 1) Is 503 intended for that purpose? > http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html says: "The ser

Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread Dirk Balfanz
On Wed, Jun 9, 2010 at 10:58 AM, David Recordon wrote: > Unless I'm misreading the Timeouts spec, it defines a HTTP request > header which the client uses to tell the server how long it will wait. > That's how I read them, too. But that might be an alternative way to pick up the token in the dev

Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread David Recordon
Unless I'm misreading the Timeouts spec, it defines a HTTP request header which the client uses to tell the server how long it will wait. That's a different problem from the server telling the client to back off it's request rate. A 503 with a Retry-After header seems reasonable. We should specify

Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread Manger, James H
t: Re: [OAUTH-WG] polling in the device flow What conclusions would you draw from this internet-draft? Shall we move for long polling and "Timeout" headers? regards, Torsten. Am 09.06.2010 09:29, schrieb Manger, James H: Right on cue a new internet-draft covering the HTTP pollin

Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread Torsten Lodderstedt
What conclusions would you draw from this internet-draft? Shall we move for long polling and "Timeout" headers? regards, Torsten. Am 09.06.2010 09:29, schrieb Manger, James H: Right on cue a new internet-draft covering the HTTP polling issue has just appeared: Hypertext Transfer Protocol (

Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread Manger, James H
Right on cue a new internet-draft covering the HTTP polling issue has just appeared: Hypertext Transfer Protocol (HTTP) Timeouts draft-loreto-http-timeout [June 2010] See also: Best Practices for the Use of Long Polling and Strea

Re: [OAUTH-WG] polling in the device flow

2010-06-09 Thread Torsten Lodderstedt
using mechanisms provided by the HTTP protocol sound reasonable to me. I see two questions: 1) Is 503 intended for that purpose? http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html says: "The server is currently unable to handle the request due to a temporary overloading or maintenance of

[OAUTH-WG] polling in the device flow

2010-06-08 Thread Dirk Balfanz
Hi guys, currently, we specify how polling should work in the device flow as part of the OAuth2 spec. I would argue that that polling should be handled at a lower layer of the stack, and that OAuth2 should be silent on the issue of polling. The benefit will be a simpler spec. HTTP specifies the