<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>So the "WWW" component (from Maciej's diagram) would be making the initial approach to the AS? That seems to make sense. Would love to hear Nat's comments based on his mobile experience, and comments from others, as well.</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre">        </span>Eve</div><br><div><div>On 23 Jul 2010, at 3:37 AM, Domenico Catalano wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi,<div><br></div><div>here is an alternative pattern for mobile client registration, maybe, close to iPhone App lifecycle ;)</div><div>Attached a high-level diagram which shows the possible entire process:</div><div><br></div><div>1. <a href="http://Developer.Com/">Developer.Com</a> publishes the App into the Apps store&nbsp;</div><div>2. User buys the App in the App Store (Authentication is requested)</div><div>3. App is provisioned into the iPhone</div><div>- Client registration</div><div>4. User runs the App and signUp with <a href="http://Developer.Com/">Developer.Com</a> (Authentication is requested)</div><div>5. <a href="http://Developer.Com/">Developer.Com</a> "Initialize" a Client Registration process with Authorization Server/AM (PKI trust relationship between the parties is requested)</div><div>6. Authorization Server sends a response to <a href="http://Developer.Com/">Developer.Com</a> (including AS/metadata and cryptographic data)</div><div>7. <a href="http://Developer.Com/">Developer.Com</a> sends an ACK message to App client (including AS/metadata)</div><div>8. App "Finalize" the client Registration process with the Authorization Server/AM</div><div>9. App client receives client_id and secret.</div><div><br></div><div>What do you think?</div><div><br></div><div>Domenico</div><div><br></div><div><br></div><div><br></div><div></div></div><span>&lt;PastedGraphic-1.pdf&gt;</span><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><div><div>On Jul 23, 2010, at 1:14 AM, Maciej Machulak wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Yes, the second one would be a mobile app (WWW being its website). It's just a quick proposal and I'll answer the questions and address comments tomorrow.<br><br>Cheers,<br>Maciej<br><br><blockquote type="cite">-----Original Message-----<br></blockquote><blockquote type="cite">From: Eve Maler [mailto:eve@xmlgrrl.com]<br></blockquote><blockquote type="cite">Sent: 22 July 2010 23:59<br></blockquote><blockquote type="cite">To: Maciej Machulak<br></blockquote><blockquote type="cite">Cc: WG UMA<br></blockquote><blockquote type="cite">Subject: Re: [WG-UMA] OAuth Dynamic Binding - Web App<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So is the first one a web app and the second one a native app? &nbsp;I'm not<br></blockquote><blockquote type="cite">sure who "WWW" is in the second one.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">My thinking, at the end of the call, was that we should propose a merged<br></blockquote><blockquote type="cite">solution that looks like this:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- The server expects all clients to give ("push") it a URL at a minimum,<br></blockquote><blockquote type="cite">since this is the minimum required info to share with a user to ensure<br></blockquote><blockquote type="cite">authorization is done with the right party and to discover more<br></blockquote><blockquote type="cite">metadata.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- The client can additionally supply ("push") some portion, or all, of<br></blockquote><blockquote type="cite">the other relevant metadata. &nbsp;[Can we assume that web-app clients<br></blockquote><blockquote type="cite">exclusively "push" all necessary metadata, and native-app clients<br></blockquote><blockquote type="cite">exclusively "push" only a URL? &nbsp;This way we don't even need a parameter<br></blockquote><blockquote type="cite">to declare the "type" of registration pattern. &nbsp;I assume this below.]<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- The metadata supplied ("pushed") by the client could be signed or<br></blockquote><blockquote type="cite">unsigned.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- If signed, the server retrieves ("pulls") a public key from the<br></blockquote><blockquote type="cite">supplied URL in order to validate the signature, having correlated the<br></blockquote><blockquote type="cite">domain the client is coming from with the supplied URL.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- If only a URL was "pushed", the server returns a random value of the<br></blockquote><blockquote type="cite">sort shown in Maciej's diagram, which the native app is required to<br></blockquote><blockquote type="cite">stuff into a location on its home server, with additional back-and-forth<br></blockquote><blockquote type="cite">as shown...<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Does this merge the approaches neatly enough? &nbsp;Is it secure and<br></blockquote><blockquote type="cite">efficient enough?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre">        </span>Eve<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">On 22 Jul 2010, at 3:39 PM, Maciej Machulak wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">I've updated the diagram but the provided link still shows the old<br></blockquote></blockquote><blockquote type="cite">version. Take a look at these links then:<br></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="http://tinyurl.com/275w9rx">http://tinyurl.com/275w9rx</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="http://tinyurl.com/3a8tfmr">http://tinyurl.com/3a8tfmr</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Cheers,<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Maciej<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">-----Original Message-----<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">From: <a href="mailto:wg-uma-bounces@kantarainitiative.org">wg-uma-bounces@kantarainitiative.org</a> [mailto:wg-uma-<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">bounces@kantarainitiative.org] On Behalf Of Maciej Machulak<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Sent: 22 July 2010 23:35<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">To: WG UMA<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Subject: [WG-UMA] OAuth Dynamic Binding - Web App<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Hi,<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">A sample flow discussed today for dynamic binding could be as<br></blockquote></blockquote></blockquote><blockquote type="cite">following:<br></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://tinyurl.com/oauth-binding-web">http://tinyurl.com/oauth-binding-web</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Cheers,<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Maciej<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">WG-UMA mailing list<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="mailto:WG-UMA@kantarainitiative.org">WG-UMA@kantarainitiative.org</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://kantarainitiative.org/mailman/listinfo/wg-uma">http://kantarainitiative.org/mailman/listinfo/wg-uma</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">_______________________________________________<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">WG-UMA mailing list<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="mailto:WG-UMA@kantarainitiative.org">WG-UMA@kantarainitiative.org</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="http://kantarainitiative.org/mailman/listinfo/wg-uma">http://kantarainitiative.org/mailman/listinfo/wg-uma</a><br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Eve Maler<br></blockquote><blockquote type="cite"><a href="http://www.xmlgrrl.com/blog">http://www.xmlgrrl.com/blog</a><br></blockquote><blockquote type="cite"><a href="http://www.twitter.com/xmlgrrl">http://www.twitter.com/xmlgrrl</a><br></blockquote><blockquote type="cite"><a href="http://www.linkedin.com/in/evemaler">http://www.linkedin.com/in/evemaler</a><br></blockquote><br>_______________________________________________<br>WG-UMA mailing list<br><a href="mailto:WG-UMA@kantarainitiative.org">WG-UMA@kantarainitiative.org</a><br><a href="http://kantarainitiative.org/mailman/listinfo/wg-uma">http://kantarainitiative.org/mailman/listinfo/wg-uma</a><br></div></blockquote></div><br><div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><p><br><br><a href="http://www.oracle.com/" target="_blank"><img src="http://www.oracle.com/dm/design/images/oracle_sig_logo.gif" alt="Oracle" width="114" height="26" border="0"></a><br><font color="#666666" size="2" face="Verdana, Arial, Helvetica, sans-serif">Domenico Catalano | Identity Architect | +39.335.7257896<br><font color="#FF0000">Oracle</font><span class="Apple-converted-space">&nbsp;</span>Fusion Middleware<br>via G. Romagnosi - 00142 Rome, Italy</font></p><table width="100%" border="0" cellpadding="0" cellspacing="0"><tbody><tr><td width="44" height="0" align="left" valign="top"><a href="http://www.oracle.com/commitment" target="_blank"><img src="http://www.oracle.com/dm/design/corp/misc/green-for-email-sig_0.gif" alt="Green Oracle" width="44" height="28" border="0" align="absbottom"></a></td><td width="100%" align="left" valign="middle"><font color="#47AA42" size="1" face="Verdana, Arial, Helvetica, sans-serif"><font color="#4B7D42">Oracle is committed to developing practices and products that help protect the environment</font></font></td></tr></tbody></table><p><br></p></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br></div></div></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div><br class="Apple-interchange-newline">Eve Maler</div><div><a href="http://www.xmlgrrl.com/blog">http://www.xmlgrrl.com/blog</a></div><div><a href="http://www.twitter.com/xmlgrrl">http://www.twitter.com/xmlgrrl</a></div><div><a href="http://www.linkedin.com/in/evemaler">http://www.linkedin.com/in/evemaler</a></div></span></div></span></div></span></span>
</div>
<br></body></html>