So there might not be any account specific data, but in the end you have a
trust relationship in the authentication which has minimal data. Beyond that
you're using Oauth for roles based access control, which is fine in my opinion.
On Sunday, February 9, 2014 11:35 PM, Donald Coffin
<[email protected]> wrote:
Bill,
Thanks for your response.
Although in theory you are correct, the particular application being
implemented collects energy usage data from meters on a periodic basis (i.e.
once every 24 hours). Therefore, even with an account creation, as suggested,
there would be a significant delay after the account is created before a client
would be able to access the resource owner’s data.
Best regards,
Don
Donald F. Coffin
Founder/CTO
REMI Networks
22751 El Prado Suite 6216
Rancho Santa Margarita, CA 92688-3836
Phone: (949) 636-8571
Email: [email protected]
From:Bill Mills [mailto:[email protected]]
Sent: Sunday, February 09, 2014 7:30 PM
To: Donald Coffin; [email protected]
Cc: greenbutton-dev
Subject: Re: [OAUTH-WG] Should data exist for an Oauth access token request to
be granted?
Account creation could result in a token. Data would be written as a result of
the transaction.
On Sunday, February 9, 2014 6:23 PM, Donald Coffin
<[email protected]> wrote:
We are having a bit of a philosophical discussion regarding the requirement for
data to exist as a requirement for an OAuth 2.0 access token to be granted and
I’d like to get the opinions of the IETF Oauth WG.
The two points of view are:
· There are no requirements in “The OAuth 2.0 Framework” [RFC6749]
specification that requires data to exist prior to an access token being
granted and therefore the requirement that data exist should NOT be a
consideration for granting or denying an access token request, as long as all
of the other requirements for granting of an access token are met.
· There are many potential applications that are a one-shot access
request. These would be confused if they receive an access token allowing them
to access information that does NOT exist.
A potential solution that might meet both requirements is to add a SCOPE
parameter the client MAY provide indicating an access token should only be
issued if data does exist. The default would be that absent the SCOPE
parameter the Authorization Server would issue an approved access token
regardless of the existence or absence of data at the time of the request.
I’d like to hear what the WG feels is a best practice solution to resolve our
existing implementation conflict.
Best regards,
Don
Donald F. Coffin
Founder/CTO
REMI Networks
22751 El Prado Suite 6216
Rancho Santa Margarita, CA 92688-3836
Phone: (949) 636-8571
Email: [email protected]
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
