In the project I am working on we are using discovery based on dynamic
DNS but there probably are better ways. I felt that the discovery was
rather application specific and didn't really fit into the draft but I
am happy to expand if you think that will make things more clear.
Currently our (project-specific) workflow is something like this:
User wants to use (untrusted) public terminal to access a private
resource. Instead of his username he inputs his authentication device
address (i.e. DNS name of his mobile). Either the terminal or the server
(depending on where the protocol is supported) uses the address to run
STTP and then just substitutes the tokens STTP delivers as the user's
credentials.
The difference to a "normal" authentication is that all the "magic" is
happening on the mobile device where the user is comfortable enough to
use his actual credentials. For example, the device can use a
service-specific API (or actually STTP again) to retrieve a one-time
password that can be used (somewhat) safely on the public terminal.
Facebook just started a service to send people otps to their mobile
phone via text messages
(http://blog.facebook.com/blog.php?post=436800707130) which could be
easily expanded to a more seamless (and world-wide available)
authentication scenario using STTP (I am not affiliated with Facebook in
any way, it's just an example).
Best regards
Niklas
On 10/19/2010 01:19 AM, Marius Scurtescu wrote:
Trying to imagine a real world use case.
For example, section 2.2, how would the public terminal know that a
user device exists, let alone where?
Thanks,
Marius
On Mon, Oct 18, 2010 at 9:03 AM, Niklas Neumann
<[email protected]> wrote:
Hello everybody,
I am currently working on a projected related to authentication and secure
token transfer between multiple devices. As such we are employing a simple
protocol that handles token transfers independent of the actual type of
token. We have adapted the protocol to be used with OAuth tokens and
submitted it as an Internet Draft:
http://tools.ietf.org/html/draft-neumann-oauth-token-transfer
I was wondering if there is interest in employing such a protocol in cases
where the HTTP redirection schemes of OAuth are not available or not working
well (e.g. desktop applications without access to a user agent or
authentication from a different device/application than the one accessing
the consumer).
Compared to other proposals such as
draft-dehora-farrell-oauth-accesstoken-creds the STTP is more heavyweight
but in turn it also has more options. With regards to authentication we
didn't use SASL for complexity reasons in our work initialy but I don't see
any reason not to include it if this is deemed more appropriate.
The work that the draft is based on is still ongoing. Please understand the
draft as no more than a discussion proposal on how OAuth could be opened to
non-web-based environments and scenarios that involve multiple devices
without overloading the OAuth specification itself. I am happy to further
improve the draft if you think this might be a viable option.
Best regards
Niklas
--
Niklas Neumann - University of Goettingen, Institute of Computer Science
http://user.informatik.uni-goettingen.de/~nneuman1/
Tel: +49 551 39-172053
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
--
Niklas Neumann - University of Goettingen, Institute of Computer Science
http://user.informatik.uni-goettingen.de/~nneuman1/
Tel: +49 551 39-172053
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
