[WG-UMA] OAuth Dynamic Binding - Web App

Eve Maler eve at xmlgrrl.com
Thu Jul 22 18:59:14 EDT 2010


So is the first one a web app and the second one a native app?  I'm not sure who "WWW" is in the second one.

My thinking, at the end of the call, was that we should propose a merged solution that looks like this:

- The server expects all clients to give ("push") it a URL at a minimum, since this is the minimum required info to share with a user to ensure authorization is done with the right party and to discover more metadata.

- The client can additionally supply ("push") some portion, or all, of the other relevant metadata.  [Can we assume that web-app clients exclusively "push" all necessary metadata, and native-app clients exclusively "push" only a URL?  This way we don't even need a parameter to declare the "type" of registration pattern.  I assume this below.]

- The metadata supplied ("pushed") by the client could be signed or unsigned.

- If signed, the server retrieves ("pulls") a public key from the supplied URL in order to validate the signature, having correlated the domain the client is coming from with the supplied URL.

- If only a URL was "pushed", the server returns a random value of the sort shown in Maciej's diagram, which the native app is required to stuff into a location on its home server, with additional back-and-forth as shown...

Does this merge the approaches neatly enough?  Is it secure and efficient enough?

	Eve

On 22 Jul 2010, at 3:39 PM, Maciej Machulak wrote:

> I've updated the diagram but the provided link still shows the old version. Take a look at these links then:
> 
> http://tinyurl.com/275w9rx 
> http://tinyurl.com/3a8tfmr
> 
> Cheers,
> Maciej
> 
> 
>> -----Original Message-----
>> From: wg-uma-bounces at kantarainitiative.org [mailto:wg-uma-
>> bounces at kantarainitiative.org] On Behalf Of Maciej Machulak
>> Sent: 22 July 2010 23:35
>> To: WG UMA
>> Subject: [WG-UMA] OAuth Dynamic Binding - Web App
>> 
>> Hi,
>> 
>> A sample flow discussed today for dynamic binding could be as following:
>> 
>> http://tinyurl.com/oauth-binding-web
>> 
>> Cheers,
>> Maciej
>> _______________________________________________
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler
http://www.xmlgrrl.com/blog
http://www.twitter.com/xmlgrrl
http://www.linkedin.com/in/evemaler



More information about the WG-UMA mailing list