чт, 14 февр. 2019 г. в 21:39, Ivan Vučica <[email protected]>:
> Technically, OAuth2 is not really tied to HTTP, if this is what you > mean. For all that it matters, you could use XMPP as the transport to > obtain the access+refresh token (or just a 'permanent' access token). > Well, https://tools.ietf.org/html/rfc6749 states: > This specification is designed for use with HTTP ([RFC2616 > <https://tools.ietf.org/html/rfc2616>]). The > use of OAuth over any protocol other than HTTP is out of scope. > > In my book this pretty much means that if you use other protocol (XMPP, Pigeon post or whatever), it's no longer OAuth. That's why our developed protocol resembles this very sensible and importatn protocol, but is not identical to it and does not use it for the reasons I've stated in previous email. > The only way you could address your problem is to issue the access > credentials via a desktop, which indeed is addressed in the original > proposal. However, I see this problem as totally orthogonal to 'how do > we get rid of stored unscoped master passwords on every device a user > uses'. > Well, we're probably talking about different things. The practical problem we're addressing is a capablity to reconnect without a password, and to give account owner means to revoke this capability. We are concerned about this because every single XMPP client out there has to keep user's XMPP id and passwords to be able to reconnect, and this is bad - someone who gets access to device can potentially obtain said password and impersonate a user. And this is beyond very bad. -- Ненахов Андрей Директор ООО "Редсолюшн" (Челябинск) (351) 750-50-04 http://www.redsolution.ru
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
