Finally had a chance to review the device flow draft in earnest. Overall it’s 
really great, and we’ve implemented it in a few places (see my recent post on 
one interesting use case). Just a few notes:

- use of “flow” has largely been replaced by “authorization grant” in other 
documents and we should be consistent here
- use of “end-user” has been replaced by “resource owner” in other documents 
and we should be consistent here
- “input constrained” should be “input-constrained” as used in the title, 
abstract, and introduction.
- §1¶3 could be rewritten to a bulleted list of requirements instead for 
readability
- §1¶4 could add something to address recent discussion on the list: “While 
this polling is usually automatic and repeated on a regularly timed basis, the 
client could poll based on user action with the device such as a button press.”
- §1 diagram (D) should state that the user is prompted to enter the user code 
given in (C) and that the user does so — leaving it out is an optimization (see 
below) and the likely exception
- §2 should probably be §1.1, or move the protocol flow to §1.1 and make §2 
into §1.2
- §2 should import all terms used from 6749/6750 explicitly
- §2 should we define “secondary device” once at the top instead of the 
parenthetical definition used throughout?
- §3.1¶1 Wording is awkward with double “by” phrases, suggest: “The client 
initiates the authorization grant request by making an HTTP POST request to the 
device authorization endpoint.”
- §3.2 add xref to JSON (7159), response is a JSON object with the following 
members (not parameters)
- §3.2 is there any requirement for the verification_uri to be over HTTPS? I 
can’t see any discussion of this anywhere and it should probably at least be in 
the security considerations, if not an outright requirement. We say that 
authentication is done in a tls-protected session in §3.3 but we don’t say 
anything about the actual URL or the page in which the user enters the code.
- §3.3¶3 as mentioned above, the polling could be continuous (timer-based) or 
in reaction to a user action at the device. There are no protocol differences 
and the AS shouldn’t do try and inform the user, but we can at least mention 
that in our description of polling.
- §3.3.1 I still think this optimized all-in-one URI should be a separate 
parameter from the AS so as not to conflate it with the “plain” verification 
URI.
- §3.4¶3 instead of “based on the error code in the response” perhaps “until 
the authorization server indicates the device code has expired or was 
cancelled.” — I’m less sure about the wording here but as written it feels 
awkward.
- §3.5 I agree with the point made on the list about the error code, 
“access_denied” would fit this bill but right now it’s only specified on 
authorization endpoint response, so let’s add its use to the token response here
- §3.5¶4 says to return “invalid_grant” if the codes are expired, but in the 
same section it says to use “expired_code”. 
- §3.5¶5 the interval between polls SHOULD be at least the “interval” value. 
Also, it MUST be greater than zero … William … 
- §5.2 “user’s session and device”, use of “device” here is confusing since 
this is the “device” flow. Maybe explicitly call out this as the “secondary 
device” 
- §5.5 extra “or” in list in final sentence


 — Justin
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to