<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">A few comments...<br>
      <br>
      1. You are correct that AOL's implementation requires server side
      session state. This could be an issue for some IdP
      implementations. <br>
      <br>
      2. Refreshing tokens via the browser (front-channel) ensures that
      the browser is still present. This is useful for the case where
      the user just closes their browser. Any associated RPs will not be
      able to retrieve an updated access token because there will be no
      browser present via which to do the "refresh".<br>
      <br>
      3. Given that AOL wants to support the offline_access concept for
      native OAuth2 authorizations as well and OpenID Connect, I think
      this needs to stay part of the scope. It seems strange that if a
      developer is using OpenID Connect they pass the offline_access
      value in one parameter but then use a different parameter if doing
      OAuth2.<br>
      <br>
      4. Proxying via the front-channel is somewhat more complex than a
      simple back channel call be between the RP and the central IdP. At
      a minimum front channel requires a js library to manage polling of
      the shared "IdP" to maintain fresh tokens, or to refresh a token.
      Most likely, this is a code flow which will force the RP to still
      do a back channel call to actually retrieve the token.<br>
      <br>
      Thanks,<br>
      George<br>
    </font><br>
    On 5/22/12 3:00 PM, Nat Sakimura wrote:
    <blockquote
cite="mid:CABzCy2D_DKSW4TPC9c=xZBxQ_zNFwNQF7iJuhD-V5dP0ZLCfig@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      In the Yahoo! meeting, we had some discussions around offline
      access. The discussion did not finish there and we did not have
      much time to discuss in the IIW to reach the consensus either. 
      <div><br>
      </div>
      <div>From what I see from the notes in the issue tracker (<a
          moz-do-not-send="true"
          href="https://bitbucket.org/openid/connect/issue/539/">https://bitbucket.org/openid/connect/issue/539/</a>
        ), the following is my take: </div>
      <div><br>
      </div>
      <div><span class="Apple-style-span"
style="color:rgb(57,57,57);font-family:Helvetica,Arial,sans-serif;font-size:13px;line-height:18px">
          <p
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">So
            Google and AOL approach does not seem too dissimilar.</p>
          <p
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">Both
            requires explicit user consent for obtaining the refresh
            token.</p>
          <p
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">Differences:</p>
          <ol
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:36px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;list-style-type:none;list-style-position:initial">
            <li
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">In
              AOL's case, refresh token which is bound to the session is
              returned for 'code' case, while Google does not return it.
              In AOL's case, the client should send refresh token
              through the back channel to update the access token, while
              in Google's case, prompt=none front channel call should be
              used to get the refreshed access token.
              <ol
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:36px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;list-style-type:none;list-style-position:initial">
                <li
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">Advantage
                  of AOL's approach is that it allows simpler
                  implementation for the proxied clients (e.g.,
                  MapQuest-AOL-Google case).</li>
                <li
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">Google
                  states that their approach allows "unified button" for
                  new registration and authentication. (Is this also
                  achievable with AOL's methodology?)</li>
                <li
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">Perhaps
                  Googles approach allows the server to be stateless
                  while AOL's approach requires it to be stateful?</li>
              </ol>
            </li>
            <li
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">AOL
              uses scope to indicate the offline access request, while
              Google uses a new extension parameter called access_type.
              <ol
style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:36px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;list-style-type:none;list-style-position:initial">
                <li
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">AOL's
                  approach is one less extension variable while Google's
                  approach probably is cleaner than putting everything
                  in the scope bucket.</li>
              </ol>
            </li>
          </ol>
          <p
style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">I
            do not think we have consensus on this issue yet. Please
            discuss.</p>
        </span>
        <div><br>
        </div>
        -- <br>
        Nat Sakimura (=nat)
        <div>Chairman, OpenID Foundation<br>
          <a moz-do-not-send="true" href="http://nat.sakimura.org/"
            target="_blank">http://nat.sakimura.org/</a><br>
          @_nat_en</div>
      </div>
    </blockquote>
    <br>
  </body>
</html>