You cannot post messages because only members can post, and you are not currently a member.
Description:
A forum to discuss and develop extensions to the OAuth protocol to be published seperately or added to future versions of OAuth.
|
|
|
JSONP clients and sanctioned XSRF
|
| |
Praveen's Response Data Format extension makes an interesting point
about JSONP type consumers, which is a use case that I personally feel
has not been adequately addressed by OAuth.
Section 4 of the Response Data Format extension says:
"The most common use case is a Javascript based Consumer running in a... more »
|
|
|
Extension for Custom Response Data Formats
|
| |
Hi All, I have attached a spec for a new extension for specifying and supporting custom response data formats in OAuth. Please send me any feedback/suggestions/etc.. The spec and html are checked into svn too under spec/ext/response_data_format/ 1.0/drafts/1 if you want to edit/update it. I did not include "error_in_response" parameter in this extension as that... more »
|
|
|
OAuth, multiple hostname endpoints, and redirects
|
| |
Photobucket distributes the user's data among many hostnames to
provide multiple levels of flexibility. A given user is bound to a
given subdomain (silo) on account creation - and all of their data is
in that silo. This includes data retrieved by the API.
That subdomain information is not discoverable a priori - it must be... more »
|
|
|
OAuth+OpenID hybrid protocol proposal
|
| |
Hi all,
Last week, I gave a presentation in the OAuth Summit on a proposal to
combine an OpenID authentication request with an OAuth access token
request. The main goal of the proposal is to enable service providers
to support good user experience when asking for user approval to both
sign on to another site and to issue that site credentials to access... more »
|
|
|
OAuth without Consumer Secret (for Javascript clients)
|
| |
Is there somebody working in a solution to allow Javascript clients to
use OAuth? JS clients can not use Consumer Secrets because they
would disclose it in the HTML.
Am I wrong? Are there any information about it?
I was thinking on using OAuth just with a Consumer Key and without a
Consumer Secret to provide something similar to the Google AuthSub non-... more »
|
|
|
Multiple Resource Authorization
|
| |
Hi all, We've (AOL) been working through the best way to deal with a single service provider that supports multiple resources that require different levels of authorization. In the current user-consent model for the AOL Open Services APIs ([link]) we allow each service provider to determine it's own fine grain "rights" or authorization... more »
|
|
|
OAuth Session Extension Draft 0.1
|
| |
Hi everyone, thank you very much for your feedback. I've incorporated
John's suggestion to just issue short lived Access Tokens, and to
provide a way for consumers to refresh their access tokens.
Here's the proposal:
Abstract
The OAuth protocol defines a mechanism for consumers to obtain... more »
|
|
|
Deauthentication
|
| |
Has anyone felt a need for consumer deauthentication? We've got the Service Provider deauthn taken care of, but there doesn't seem to be a way to force revokation of an AT from the outside. This sort of thing is prone to phishing. Any consumer the user doesn't trust to hold their access tokens might spoof the deauthn, giving the... more »
|
|
|
Proposed Extension: OAuth Sessions for very large distributed sites
|
| |
Hi everybody,
Large service providers may have difficulty adopting OAuth in its
current form. In order to simply integration for developers, we'd like
to conform with the current OAuth specification as much as possible.
We'd like to propose the following OAuth Session extension for SPs who
have web services which run mostly independently from from their Auth... more »
|
|
|
