<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Petteri,</p>
<p><br>
</p>
<p>as promised during the last WG call, please find below my
detailed feedback on your proposal:</p>
<p><br>
</p>
<p>Your proposal consists of two distinct contributions: <br>
</p>
<p>(1) a generic http level mechanism to control client/server
interaction using standard HTTP status codes</p>
<p>(2) a pattern to turn push-style into pull-style data retrival</p>
<p><br>
</p>
<p>I think the WG needs more concrete examples to understand the
nature and benefits of those contributions. I suggest to treat
them separately since they can be discussed and potentially
adopted independently.</p>
<p><br>
</p>
<p>Regarding (1) I would suggest you to provide an example of how UQ
or CIBA could be represented.</p>
<p><br>
</p>
<p>Regarding (2) I suggest you to provide the WG with a concrete
example for CIBA (since this was the subject of the discussion
where you made this proposal for the first time). In order to
facilitate comparability, I would propose you do so based on the
the application leven control mechanism as defined in the CIBA
spec (incl. fetching the tokens from the token endpoint).
Moreover, there is the need for a threat analysis of this flow.
You state your proposal will remove the need to authenticate the
caller (OP/AS). I'm not convinsed since any attacker could
obviously call (flood) the clients notification endpoint and cause
the client to send any opaque value to the OP/AS. Don't you think
this must be prevented? <br>
</p>
<p><br>
</p>
<p>and indeed, such an analysis must be conducted for the proposal
defined in the CIBA spec as well!</p>
<p><br>
</p>
<p>best regards,</p>
<p>Torsten.<br>
</p>
<br>
<div class="moz-cite-prefix">Am 07.12.2016 um 10:15 schrieb Petteri
Stenius:<br>
</div>
<blockquote
cite="mid:DB6PR0501MB2440A865DD882F22F7F04C4BFA850@DB6PR0501MB2440.eurprd05.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 70.85pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1409570751;
mso-list-type:hybrid;
mso-list-template-ids:-1651504448 67829775 67829785 67829787 67829775 67829785 67829787 67829775 67829785 67829787;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:90.0pt;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:198.0pt;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:234.0pt;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:306.0pt;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1658879088;
mso-list-type:hybrid;
mso-list-template-ids:-836598436 67829775 67829785 67829787 67829775 67829785 67829787 67829775 67829785 67829787;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:90.0pt;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:198.0pt;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:234.0pt;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:306.0pt;
text-indent:-9.0pt;}
@list l2
{mso-list-id:1776898365;
mso-list-type:hybrid;
mso-list-template-ids:-1242775990 -699078064 67829763 67829765 67829761 67829763 67829765 67829761 67829763 67829765;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Torsten.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">You
are right, it is better not to mix the modes of the
endpoints.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D" lang="EN-US">Petteri<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span style="color:#1F497D"
lang="EN-US"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="color:windowtext;mso-fareast-language:FI"
lang="EN-US">From:</span></b><span
style="color:windowtext;mso-fareast-language:FI"
lang="EN-US"> Torsten Lodderstedt
[<a class="moz-txt-link-freetext" href="mailto:torsten@lodderstedt.net">mailto:torsten@lodderstedt.net</a>]
<br>
<b>Sent:</b> maanantaina 5. joulukuuta 2016 22.33<br>
<b>To:</b> Petteri Stenius
<a class="moz-txt-link-rfc2396E" href="mailto:Petteri.Stenius@ubisecure.com"><Petteri.Stenius@ubisecure.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-mobile-profile] Async
authentication with polling and callback<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Am 05.12.2016 um 13:18 schrieb Petteri
Stenius:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US">Hi,</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US">Registration of endpoints is an application
level issue, not part of the generalized http level
mechanism.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:FI"><br>
but it somehow intervenes with the generic http level
mechanism, so the generic http part is not self-explanatory.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US">With OAuth/OIDC we should follow the
convention of registering endpoints with client
registration and provider metadata.</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US">The UQ draft defines a new client
registration value “client_notification_endpoint” for the
callback, but would it not be possible to use
“redirect_uris” for this purpose?</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:FI"><br>
Do you think this is a good idea to mix the two different
modes? The rules for processing a conventional redirect
(XSRF, referrer header, session state/cookies) are different
from receiving a server2server callback (e.g. IP address
black/whitelisting). I would prefer to keep them separate.<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US">The client callback endpoint is an entry in
the redirect_uris array of client registration metadata.
With a parameter of the request that starts async
authentication client indicates at which of the registered
endpoints it wishes to receive the async callback. This is
comparable to authorization code request.</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif">Petteri</span><o:p></o:p></p>
<p><span style="font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:FI"><br>
best regards,<br>
Torsten.<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p><span style="font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="2" width="98%">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Torsten Lodderstedt
<a moz-do-not-send="true"
href="mailto:torsten@lodderstedt.net"><torsten@lodderstedt.net></a><br>
<b>Sent:</b> Saturday, December 3, 2016 10:50:10 AM<br>
<b>To:</b> Petteri Stenius<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-mobile-profile] Async
authentication with polling and callback
</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi Petteri,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">thanks for your
proposal.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">One question
popped up when I read the sequence for the callback
case: how does the server know where to send the
callback in step 3?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">best regards,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Torsten.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"><br>
Am 01.12.2016 um 16:58 schrieb Petteri Stenius <</span><a
moz-do-not-send="true"
href="mailto:Petteri.Stenius@ubisecure.com"><span
lang="EN-US">Petteri.Stenius@ubisecure.com</span></a><span
lang="EN-US">>:</span><o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US">Hello everybody</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">At the Paris
meeting in September there was some discussion about
polling and callback mechanisms related to
asynchronous functions.
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">These mechanisms
exist in both UQ and SIBA draft specifications.
Polling is also defined in OAuth Device Flow draft.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">This proposal is
an attempt to generalize async polling and callback
mechanisms:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l2 level1 lfo2"><!--[if !supportLists]--><span
style="font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
lang="EN-US">Define polling on the http level, not
an application level function</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l2 level1 lfo2"><!--[if !supportLists]--><span
style="font-family:Symbol"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
lang="EN-US">Callback is only a simple notification
request, a client initiated request is required to
fetch the actual content</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">The two
proposals work together, and make for example
switching between polling and callback mechanisms
very easy.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Petteri</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-US">Polling
defined on the http level</span></b><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Define mechanism
with HTTP 303 redirect and Retry-After response
header.</span><span style="font-size:10.0pt"
lang="EN-US">
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">303 redirect is
used to define polling as sequence of http redirects
the client follows until async operation completes
and response appears.
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">The client MUST
wait time indicated by Retry-After header before
following a redirect. Failing to do so would result
in 503 Service Unavailable error (with Retry-After
header).</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Semantics is
comparable to "Wait a moment, the response will soon
appear at this location"</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">The server is
allowed to implement "long polling" by holding a
response up to 30 seconds (see
<a moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc6202#section-5.5">https://tools.ietf.org/html/rfc6202#section-5.5</a>)</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Example of
polling sequence:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo4">
<!--[if !supportLists]--><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Client
begins async operation</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">POST
/begin-async-operation HTTP/1.1</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo4">
<!--[if !supportLists]--><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Server
response with 303 status indicates client must begin
polling for response. Server encodes state into
querystring of redirect uri</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">HTTP/1.1 303 See
Other</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Location:
/async-response?opaque-server-state-1</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Retry-After: 10</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo4">
<!--[if !supportLists]--><span style="mso-list:Ignore">3.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Client
waits at least 10 seconds before following the
redirect</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">GET
/async-response?opaque-server-state-1 HTTP/1.1</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo4">
<!--[if !supportLists]--><span style="mso-list:Ignore">4.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Server
response with new uri where querystring has changed</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">HTTP/1.1 303 See
Other</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Location:
/async-response?opaque-server-state-2</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Retry-After: 10</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo4">
<!--[if !supportLists]--><span style="mso-list:Ignore">5.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Client
again waits before following the redirect</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">GET
/async-response?opaque-server-state-2 HTTP/1.1</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo4">
<!--[if !supportLists]--><span style="mso-list:Ignore">6.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Server
response with content when async operation has
completed</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">HTTP/1.1 200 OK</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">"completed"</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-US">Callback is a
simple notification request</span></b><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">My proposal for
callback mechanism is a simple notification request.
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Server encodes
any state it needs into querystring of the
notification request.
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">For the client
the querysring is opaque and the client must pass it
as-is when fetching the actual content from the
server.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Using a simple
notification request removes the requirement for
client to authenticate the callback request from
server.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Example of
callback sequence:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo6">
<!--[if !supportLists]--><span style="mso-list:Ignore">1.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Client
begins async operation</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">POST
/begin-async-operation HTTP/1.1</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo6">
<!--[if !supportLists]--><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Server
response with 202 status indicates client needs to
wait for callback</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">HTTP/1.1 202
Accepted</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo6">
<!--[if !supportLists]--><span style="mso-list:Ignore">3.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">When
async operation completes server sends a
notification request to client. Server encodes state
into querystring of notification uri</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">GET
/callback?opaque-server-state-3 HTTP/1.1</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo6">
<!--[if !supportLists]--><span style="mso-list:Ignore">4.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Client
response is not processed by server</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">HTTP/1.1 204 No
Content</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo6">
<!--[if !supportLists]--><span style="mso-list:Ignore">5.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Client
creates request uri and fetches content from server</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">GET
/async-response?opaque-server-state-3 HTTP/1.1</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l0
level1 lfo6">
<!--[if !supportLists]--><span style="mso-list:Ignore">6.<span
style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]--><span lang="EN-US">Server
response with content</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">HTTP/1.1 200 OK</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal">"completed"<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Related discussion</b><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">[Openid-specs-mobile-profile]
Async authentication</span><o:p></o:p></p>
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20161010/000615.html"><span
lang="EN-US">http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20161010/000615.html</span></a><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">[OAUTH-WG]
polling in the device flow</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><a
moz-do-not-send="true"
href="https://www.ietf.org/mail-archive/web/oauth/current/msg02939.html">https://www.ietf.org/mail-archive/web/oauth/current/msg02939.html</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">[OAUTH-WG]
Device Flow: Alternative to Polling</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt"
lang="EN-US"><a moz-do-not-send="true"
href="https://www.ietf.org/mail-archive/web/oauth/current/msg16723.html">https://www.ietf.org/mail-archive/web/oauth/current/msg16723.html</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span lang="EN-US">References</span></b><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">OAuth 2.0 Device
Flow</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><a
moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03">https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">HTTP/1.1
Semantics and Content</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><a
moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc7231">https://tools.ietf.org/html/rfc7231</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Retry-After</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt"
lang="EN-US"><a moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc7231#section-7.1.3">https://tools.ietf.org/html/rfc7231#section-7.1.3</a>
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US">Best Practices
for the Use of Long Polling</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"><a
moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc6202">https://tools.ietf.org/html/rfc6202</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;mso-fareast-language:FI"
lang="EN-US">_______________________________________________<br>
Openid-specs-mobile-profile mailing list<br>
</span><span
style="font-size:12.0pt;mso-fareast-language:FI"><a
moz-do-not-send="true"
href="mailto:Openid-specs-mobile-profile@lists.openid.net"><span
lang="EN-US">Openid-specs-mobile-profile@lists.openid.net</span></a></span><span
style="font-size:12.0pt;mso-fareast-language:FI"
lang="EN-US"><br>
</span><span
style="font-size:12.0pt;mso-fareast-language:FI"><a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile"><span
lang="EN-US">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</span></a></span><o:p></o:p></p>
</div>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:FI"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>