Version 5 in progress ...

1 view
Skip to first unread message

Dick Hardt

unread,
Oct 9, 2009, 6:14:58 PM10/9/09
to WRA...@googlegroups.com

Attached is an HTML version of the latest spec now called WRAP. This is still a work in progress.

 

I have renamed the terminology to align with the IETF WG:

 

Consumer => Client

Service Provider => Protected Resource

Token Issuer => Server

 

Per the post of Access Token formats, I have added a format parameter to a number of calls.

 

The Client Key, Client Secret and Callback URL are only used in the Web App Profile. In other words, they are NOT used in the Username and Password Profile which simplifies that Profile. (The Client Secret can’t really be kept secret anyway)

 

I reordered the sections so that knowledge is built up as you read.

 

I have rewritten the abstract an overview again. Hopefully it is easier to grock.

 

The examples at the end have NOT been updated.

 

You can get the Word version from the Files section at:

 

http://groups.google.com/group/WRAP-WG?hl=en

 

WRAP-v5.htm

Allen Tom

unread,
Oct 15, 2009, 4:59:37 PM10/15/09
to WRA...@googlegroups.com
Any thoughts on adding an interface for CAPTCHA to the username/password
profile in Section 5.3?

Brute force password cracking is a huge problem for any interface that
validates username/password, so there needs to be a way for the token
issuer to prevent password cracking, while still allowing access to the
legitmate account holder.

My recommendation is for the token issuer to have the option to return a
"CAPTCHA Required" response, along with an URL to the CAPTCHA. The
client should resubmit the username/password/CAPTCHAURL and CAPTCHA
solution to the token issuer.

Allen

Reply all
Reply to author
Forward
0 new messages