Discussion:
[OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-03.txt
i***@ietf.org
2016-07-18 08:58:03 UTC
Permalink
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

Title : OAuth 2.0 Device Flow
Authors : William Denniss
Stein Myrseth
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-03.txt
Pages : 10
Date : 2016-07-18

Abstract:
The device flow is suitable for OAuth 2.0 clients executing on
devices that do not have an easy data-entry method (e.g., game
consoles, TVs, picture frames, and media hubs), but where the end-
user has separate access to a user-agent on another computer or
device (e.g., desktop computer, a laptop, a smart phone, or a
tablet).


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-03


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
t***@lodderstedt.net
2016-07-21 12:56:53 UTC
Permalink
Hi William,

one question regarding your document: Why does the introduction point
out?

"Note that this device flow does not utilize the client secret."

What is the reason for this exclusion? In my opinion, this flow can be
used by web-based confidential clients as well as native clients
utilizing dynamic registration.

Moreover, section 3.4 states
"If the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1 of [RFC6749]."

best regards,
Torsten.
Post by i***@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Device Flow
Authors : William Denniss
Stein Myrseth
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-03.txt
Pages : 10
Date : 2016-07-18
The device flow is suitable for OAuth 2.0 clients executing on
devices that do not have an easy data-entry method (e.g., game
consoles, TVs, picture frames, and media hubs), but where the end-
user has separate access to a user-agent on another computer or
device (e.g., desktop computer, a laptop, a smart phone, or a
tablet).
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-03
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2016-07-21 13:47:33 UTC
Permalink
+1 to Torsten's comment, there's no good reason that I can see to limit
this to public clients.

-- Justin
Post by t***@lodderstedt.net
Hi William,
one question regarding your document: Why does the introduction point
out?
"Note that this device flow does not utilize the client secret."
What is the reason for this exclusion? In my opinion, this flow can be
used by web-based confidential clients as well as native clients
utilizing dynamic registration.
Moreover, section 3.4 states
"If the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1 of [RFC6749]."
best regards,
Torsten.
Post by i***@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Device Flow
Authors : William Denniss
Stein Myrseth
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-03.txt
Pages : 10
Date : 2016-07-18
The device flow is suitable for OAuth 2.0 clients executing on
devices that do not have an easy data-entry method (e.g., game
consoles, TVs, picture frames, and media hubs), but where the end-
user has separate access to a user-agent on another computer or
device (e.g., desktop computer, a laptop, a smart phone, or a
tablet).
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-03
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
William Denniss
2016-07-21 14:21:07 UTC
Permalink
Good points. That wording was from the original draft from years ago and
has not been changed. I'll revise it on the next update.

Here's a more modern take on the topic of client secrets in native apps:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-03#section-10 In
this case, like you say we may have confidential clients too. Certainly
many uses of the device flow that I see are for public clients, so I could
include text like that.
Post by Justin Richer
+1 to Torsten's comment, there's no good reason that I can see to limit
this to public clients.
-- Justin
Post by t***@lodderstedt.net
Hi William,
one question regarding your document: Why does the introduction point out?
"Note that this device flow does not utilize the client secret."
What is the reason for this exclusion? In my opinion, this flow can be
used by web-based confidential clients as well as native clients utilizing
dynamic registration.
Moreover, section 3.4 states
"If the client was issued client credentials (or assigned other
authentication requirements), the client MUST authenticate with the
authorization server as described in Section 3.2.1 of [RFC6749]."
best regards,
Torsten.
Post by i***@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Device Flow
Authors : William Denniss
Stein Myrseth
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-03.txt
Pages : 10
Date : 2016-07-18
The device flow is suitable for OAuth 2.0 clients executing on
devices that do not have an easy data-entry method (e.g., game
consoles, TVs, picture frames, and media hubs), but where the end-
user has separate access to a user-agent on another computer or
device (e.g., desktop computer, a laptop, a smart phone, or a
tablet).
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-03
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Loading...