In the Yahoo! meeting, we had some discussions around offline access. The discussion did not finish there and we did not have much time to discuss in the IIW to reach the consensus either. <div><br></div><div>From what I see from the notes in the issue tracker (<a href="https://bitbucket.org/openid/connect/issue/539/">https://bitbucket.org/openid/connect/issue/539/</a> ), the following is my take: </div>
<div><br></div><div><span class="Apple-style-span" style="color:rgb(57,57,57);font-family:Helvetica,Arial,sans-serif;font-size:13px;line-height:18px"><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">
So Google and AOL approach does not seem too dissimilar.</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">
Both requires explicit user consent for obtaining the refresh token.</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">
Differences:</p><ol style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:36px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;list-style-type:none;list-style-position:initial">
<li style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">
In AOL's case, refresh token which is bound to the session is returned for 'code' case, while Google does not return it. In AOL's case, the client should send refresh token through the back channel to update the access token, while in Google's case, prompt=none front channel call should be used to get the refreshed access token.<ol style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:36px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;list-style-type:none;list-style-position:initial">
<li style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">
Advantage of AOL's approach is that it allows simpler implementation for the proxied clients (e.g., MapQuest-AOL-Google case).</li><li style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">
Google states that their approach allows "unified button" for new registration and authentication. (Is this also achievable with AOL's methodology?)</li><li style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">
Perhaps Googles approach allows the server to be stateless while AOL's approach requires it to be stateful?</li></ol></li><li style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">
AOL uses scope to indicate the offline access request, while Google uses a new extension parameter called access_type.<ol style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:36px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;list-style-type:none;list-style-position:initial">
<li style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline">
AOL's approach is one less extension variable while Google's approach probably is cleaner than putting everything in the scope bucket.</li></ol></li></ol><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:inherit;font-style:inherit;font-size:13px;font-family:inherit;vertical-align:baseline;line-height:18px">
I do not think we have consensus on this issue yet. Please discuss.</p></span><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div><br>
</div>