[WG-UMA] OAuth Dynamic Binding - Web App

Maciej Machulak m.p.machulak at newcastle.ac.uk
Thu Jul 22 19:14:48 EDT 2010


Yes, the second one would be a mobile app (WWW being its website). It's just a quick proposal and I'll answer the questions and address comments tomorrow.

Cheers,
Maciej

>-----Original Message-----
>From: Eve Maler [mailto:eve at xmlgrrl.com]
>Sent: 22 July 2010 23:59
>To: Maciej Machulak
>Cc: WG UMA
>Subject: Re: [WG-UMA] OAuth Dynamic Binding - Web App
>
>So is the first one a web app and the second one a native app?  I'm not
>sure who "WWW" is in the second one.
>
>My thinking, at the end of the call, was that we should propose a merged
>solution that looks like this:
>
>- The server expects all clients to give ("push") it a URL at a minimum,
>since this is the minimum required info to share with a user to ensure
>authorization is done with the right party and to discover more
>metadata.
>
>- The client can additionally supply ("push") some portion, or all, of
>the other relevant metadata.  [Can we assume that web-app clients
>exclusively "push" all necessary metadata, and native-app clients
>exclusively "push" only a URL?  This way we don't even need a parameter
>to declare the "type" of registration pattern.  I assume this below.]
>
>- The metadata supplied ("pushed") by the client could be signed or
>unsigned.
>
>- If signed, the server retrieves ("pulls") a public key from the
>supplied URL in order to validate the signature, having correlated the
>domain the client is coming from with the supplied URL.
>
>- If only a URL was "pushed", the server returns a random value of the
>sort shown in Maciej's diagram, which the native app is required to
>stuff into a location on its home server, with additional back-and-forth
>as shown...
>
>Does this merge the approaches neatly enough?  Is it secure and
>efficient enough?
>
>	Eve
>
>On 22 Jul 2010, at 3:39 PM, Maciej Machulak wrote:
>
>> I've updated the diagram but the provided link still shows the old
>version. Take a look at these links then:
>>
>> http://tinyurl.com/275w9rx
>> http://tinyurl.com/3a8tfmr
>>
>> Cheers,
>> Maciej
>>
>>
>>> -----Original Message-----
>>> From: wg-uma-bounces at kantarainitiative.org [mailto:wg-uma-
>>> bounces at kantarainitiative.org] On Behalf Of Maciej Machulak
>>> Sent: 22 July 2010 23:35
>>> To: WG UMA
>>> Subject: [WG-UMA] OAuth Dynamic Binding - Web App
>>>
>>> Hi,
>>>
>>> A sample flow discussed today for dynamic binding could be as
>following:
>>>
>>> http://tinyurl.com/oauth-binding-web
>>>
>>> Cheers,
>>> Maciej
>>> _______________________________________________
>>> WG-UMA mailing list
>>> WG-UMA at kantarainitiative.org
>>> http://kantarainitiative.org/mailman/listinfo/wg-uma
>> _______________________________________________
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
>
>
>Eve Maler
>http://www.xmlgrrl.com/blog
>http://www.twitter.com/xmlgrrl
>http://www.linkedin.com/in/evemaler



More information about the WG-UMA mailing list