Discussion:
[OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-04.txt
i***@ietf.org
2017-02-27 17:46:20 UTC
Permalink
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.

Title : OAuth 2.0 Device Flow for Browserless and Input Constrained Devices
Authors : William Denniss
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-04.txt
Pages : 15
Date : 2017-02-27

Abstract:
This OAuth 2.0 authorization flow for browserless and input
constrained devices, often referred to as the device flow, enables
OAuth clients to request user authorization from devices that have an
Internet connection, but don't have an easy input method (such as a
smart TV, media console, picture frame, or printer), or lack a
suitable browser for a more traditional OAuth flow. This
authorization flow instructs the user to perform the authorization
request on a secondary device, such as a smartphone. There is no
requirement for communication between the constrained device and the
user's secondary device.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-04


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
William Denniss
2017-02-27 18:14:32 UTC
Permalink
My coauthors and I posted draft 04 of the OAuth 2.0 Device Flow for
Browserless and Input Constrained Devices draft today.

Key changes:

1. Title updated to reflect specificity of devices that use this flow.
2. User interaction section expanded.
3. OAuth 2.0 Metadata
<https://tools.ietf.org/html/draft-ietf-oauth-discovery> for the device
authorization endpoint added.
4. User interaction section expanded.
5. Security Considerations section added.
6. Usability Considerations section added.

Please give it a look!
Post by i***@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Device Flow for Browserless and Input
Constrained Devices
Authors : William Denniss
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-04.txt
Pages : 15
Date : 2017-02-27
This OAuth 2.0 authorization flow for browserless and input
constrained devices, often referred to as the device flow, enables
OAuth clients to request user authorization from devices that have an
Internet connection, but don't have an easy input method (such as a
smart TV, media console, picture frame, or printer), or lack a
suitable browser for a more traditional OAuth flow. This
authorization flow instructs the user to perform the authorization
request on a secondary device, such as a smartphone. There is no
requirement for communication between the constrained device and the
user's secondary device.
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-04
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2017-03-02 22:49:32 UTC
Permalink
Two little nits about endpoint naming:

Section 2
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-2>
defines "device endpoint", which is used in the document everywhere except
the new metadata sections (section 4
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-4> and
7.3.1
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-7.3.1>)
that use the term "device authorization endpoint.", Not a big deal but
potentially a little confusing.

The example in section 3.1
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-3.1>
is supposed to be showing a POST to the device endpoint but the Request-URI
in the Request-Line is "/token", which *could* be the device endpoint but
is probably just a copy/paste error and source of unneeded confusion.
Post by William Denniss
My coauthors and I posted draft 04 of the OAuth 2.0 Device Flow for
Browserless and Input Constrained Devices draft today.
1. Title updated to reflect specificity of devices that use this flow.
2. User interaction section expanded.
3. OAuth 2.0 Metadata
<https://tools.ietf.org/html/draft-ietf-oauth-discovery> for the
device authorization endpoint added.
4. User interaction section expanded.
5. Security Considerations section added.
6. Usability Considerations section added.
Please give it a look!
Post by i***@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Device Flow for Browserless and Input
Constrained Devices
Authors : William Denniss
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-04.txt
Pages : 15
Date : 2017-02-27
This OAuth 2.0 authorization flow for browserless and input
constrained devices, often referred to as the device flow, enables
OAuth clients to request user authorization from devices that have an
Internet connection, but don't have an easy input method (such as a
smart TV, media console, picture frame, or printer), or lack a
suitable browser for a more traditional OAuth flow. This
authorization flow instructs the user to perform the authorization
request on a secondary device, such as a smartphone. There is no
requirement for communication between the constrained device and the
user's secondary device.
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-04
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
William Denniss
2017-03-12 01:51:49 UTC
Permalink
Thanks for the review Brian!
Post by Brian Campbell
Section 2
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-2>
defines "device endpoint", which is used in the document everywhere except
the new metadata sections (section 4
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-4>
and 7.3.1
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-7.3.1>)
that use the term "device authorization endpoint.", Not a big deal but
potentially a little confusing.
It should be "device authorization endpoint" everywhere to be as clear as
possible. I fixed the reference in Section 2, didn't find any other "device
endpoint" instances.
Post by Brian Campbell
The example in section 3.1
<https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04#section-3.1>
is supposed to be showing a POST to the device endpoint but the Request-URI
in the Request-Line is "/token", which *could* be the device endpoint but
is probably just a copy/paste error and source of unneeded confusion.
Fixed in the next update, thanks!
Post by Brian Campbell
Post by William Denniss
My coauthors and I posted draft 04 of the OAuth 2.0 Device Flow for
Browserless and Input Constrained Devices draft today.
1. Title updated to reflect specificity of devices that use this flow.
2. User interaction section expanded.
3. OAuth 2.0 Metadata
<https://tools.ietf.org/html/draft-ietf-oauth-discovery> for the
device authorization endpoint added.
4. User interaction section expanded.
5. Security Considerations section added.
6. Usability Considerations section added.
Please give it a look!
Post by i***@ietf.org
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Device Flow for Browserless and
Input Constrained Devices
Authors : William Denniss
John Bradley
Michael B. Jones
Hannes Tschofenig
Filename : draft-ietf-oauth-device-flow-04.txt
Pages : 15
Date : 2017-02-27
This OAuth 2.0 authorization flow for browserless and input
constrained devices, often referred to as the device flow, enables
OAuth clients to request user authorization from devices that have an
Internet connection, but don't have an easy input method (such as a
smart TV, media console, picture frame, or printer), or lack a
suitable browser for a more traditional OAuth flow. This
authorization flow instructs the user to perform the authorization
request on a secondary device, such as a smartphone. There is no
requirement for communication between the constrained device and the
user's secondary device.
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/
https://tools.ietf.org/html/draft-ietf-oauth-device-flow-04
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-device-flow-04
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Loading...