On Sep 26, 2013, at 2:34 PM, Sergey Beryozkin <[email protected]> wrote:
> On 24/09/13 13:08, Antonio Sanso wrote: >> Hi *, >> >> apologis to be back to this argument :). >> >> Let me try to better explain one use case that IMHO would be really good to >> have in the OAuth specification family :) >> >> At the moment the only "OAuth standard" way I know to do OAuth server to >> server is to use [0] namely Resource Owner Password Credentials Grant. >> >> Let me tell I am not a big fun of this particular flow :) (but this is >> another story). >> >> An arguable better way to solve this scenario is to user (and why not to >> standardise :S?) the method used by Google (or a variant of it) see [1]. > > 2-way TLS and Resource Owner Password Credentials should be secure > enough, right ? > secure is secure what I do not like of that flow though is the fact that the resource owner should give the AS username/password to the client regards antonio > Cheers, Sergey >> >> Couple of more things: >> >> - I do not know if Google would be interested to put some effort to >> standardise it (is anybody from Google lurking :) e.g.Tim Bray :D ) >> - I am not too familiar with IETF process. Would the OAuth WG take in >> consideration such proposal draft?? >> >> Thanks and regards >> >> Antonio >> >> [0] http://tools.ietf.org/html/rfc6749#section-4.3 >> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
