[WG-UMA] OAuth Dynamic Binding - Web App
eve at xmlgrrl.com
Thu Jul 22 18:59:14 EDT 2010
So is the first one a web app and the second one a native app? I'm not sure who "WWW" is in the second one.
My thinking, at the end of the call, was that we should propose a merged solution that looks like this:
- The server expects all clients to give ("push") it a URL at a minimum, since this is the minimum required info to share with a user to ensure authorization is done with the right party and to discover more metadata.
- The client can additionally supply ("push") some portion, or all, of the other relevant metadata. [Can we assume that web-app clients exclusively "push" all necessary metadata, and native-app clients exclusively "push" only a URL? This way we don't even need a parameter to declare the "type" of registration pattern. I assume this below.]
- The metadata supplied ("pushed") by the client could be signed or unsigned.
- If signed, the server retrieves ("pulls") a public key from the supplied URL in order to validate the signature, having correlated the domain the client is coming from with the supplied URL.
- If only a URL was "pushed", the server returns a random value of the sort shown in Maciej's diagram, which the native app is required to stuff into a location on its home server, with additional back-and-forth as shown...
Does this merge the approaches neatly enough? Is it secure and efficient enough?
On 22 Jul 2010, at 3:39 PM, Maciej Machulak wrote:
> I've updated the diagram but the provided link still shows the old version. Take a look at these links then:
>> -----Original Message-----
>> From: wg-uma-bounces at kantarainitiative.org [mailto:wg-uma-
>> bounces at kantarainitiative.org] On Behalf Of Maciej Machulak
>> Sent: 22 July 2010 23:35
>> To: WG UMA
>> Subject: [WG-UMA] OAuth Dynamic Binding - Web App
>> A sample flow discussed today for dynamic binding could be as following:
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
More information about the WG-UMA