On Mar 16, 2010, at 12:19 PM, Shafi, Saleem wrote: > Is there any interest in being able to respond with multiple > oauth_verification_url values? I can forsee the possibility of the > Authorization Server being able to support browser-based user verification > (http/https) or text messages (assuming we could authenticate the user on > sending the SMS).. Letting the authorization server return multiple URLs > could give the client/user more options..
Authenticating the user via text message is an awesome idea, but we can't really communicate that to the device as another oauth_verification_url. This is probably worthy of another profile. Using SMS to auth could also be useful at an untrusted computer at an internet cafe -- maybe you don't want to authenticate yourself with the AS via password in case a keylogger is installed. > Also, would there be room in this profile for a scenario where the user > verification code isn't returned to the client, but rather sent to the user > directly? If the initial request that the client makes includes some > identifier for the user and the authorization server has contact information > for that user, could the AS inform the user (via email, sms, IVR, etc) of a > one-time user code that they would enter into the device*? It's sort of the > reverse model, but it should still establish a connection between the device, > AS and user.. This profile might make sense where the device has very simple > data entry options and the user might not be near a browser-capable device.. I'm not sure I like the reverse of this scenario. What stops other people from entering my identifier into their device, thus causing the AS to ping me via email or SMS? Also, the Device Profile was created as the reverse of OAuth, so the reverse of the Device Profile is just a variation on regular OAuth! Maybe this could be developed into yet another profile. -Brent > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Brent Goldman > Sent: Thursday, March 11, 2010 4:28 AM > To: OAuth WG ([email protected]) > Subject: [OAUTH-WG] Device Profile > > Over the past couple days, Luke Shepard, David Recordon, and I have been > brainstorming an OAuth profile for standardizing the flow that devices such > as game consoles and entertainment centers use to hook up with services such > as Netflix and iTunes. The basic flow is that a device can gain authorization > by directing the user to visit a URL on their computer and to enter a > verification code copied from the device's screen. > > A draft spec is attached to this email. Any thoughts or feedback? > > Note: this is one of the many profiles going into the OAuth 2.0 draft that > David is writing (http://daveman692.livejournal.com/349384.html). > > -Brent > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
