Google has a similar requirement to move these types of devices to OAuth/WRAP and away from our older "ClientLogin" protocol where the user is prompted for their username/password. The proposed profile looks fine, but we are a few weeks from being able to do specific work on it, so we may have more feedback at that time.
If the device can accept some user input, then there are some security advantages to requiring the user to get the code from their computer and then enter it into the device. In particular, it makes it easier to protect against a DOS attack targeted at the service-provider to request a large # of codes. That method also reduces the risk of a phishing/session-fixation type attack. However we agree that some profile is needed for devices with no user input. We also expect it will be easier to get these device vendors to use a common industry technique, so we are fine with prioritizing our support for this profile. Longer term the community could define a profile where the code is displayed on the computer. On Thu, Mar 11, 2010 at 3:27 AM, Brent Goldman <[email protected]> wrote: > Over the past couple days, Luke Shepard, David Recordon, and I have been > brainstorming an OAuth profile for standardizing the flow that devices such > as game consoles and entertainment centers use to hook up with services such > as Netflix and iTunes. The basic flow is that a device can gain > authorization by directing the user to visit a URL on their computer and to > enter a verification code copied from the device's screen. > > A draft spec is attached to this email. Any thoughts or feedback? > > Note: this is one of the many profiles going into the OAuth 2.0 draft that > David is writing (http://daveman692.livejournal.com/349384.html). > > -Brent > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
