<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 70.85pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:970139083;
mso-list-type:hybrid;
mso-list-template-ids:2005795762 -1596533894 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:90.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:198.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:234.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:306.0pt;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:342.0pt;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoPlainText">My thoughts on context and binding_message:<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>CIBA should stay away from user questioning (UQ) territory<br>
CIBA and UQ have different purposes and those should not be mixed by e.g. abusing context for user questions.
<br>
So when UQ’s user_statement and id_token convey more or less the same semantic then we should only have one protocol but this is not the case:<br>
CIBA is about RP initiated getting of user authentication and tokens<br>
UQ is about asking questions and getting answers from users<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Binding_message is a good security practice and SPs should use it even if the “consumption_device” is e.g. a bank clerk.
<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>I think that binding_message should be generated by the OP because the OP knows best what channel should be used to contact the authentication device and its UI capabilities.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Messages provided by the RP to the user bear risk to be misleading or a plain phishing attack…<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>In the current redirect OpenID Connect dance the OP is presenting the consent screen to the user to ask which attributes/claims are part of the id_token and who the RP is and what the access token can be used for.<br>
I think that we should not change the role of the OP in CIBA.<br>
The OP knows best what channel and UI capabilities are available.<br>
If the RP needs arbitrary text conveyed to the AD then the RP should use UQ<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If we allow binding_message and context to be specified by the RP then we have to deal with the error cases e.g.:<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:90.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Binding_message too long<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:90.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Binding_message contains characters that are not displayable on the AD<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:90.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Context to long<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:90.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Context contains characters that are not displayable on the AD<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:90.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Binding_message + Context + Consent-text (e.g. RP wants to edit your timeline) are too long to be displayed<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt">This complexity can be avoided when the OP generates the messages.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>In OpenID Connect the OP shows the consent pages – why should we change that in CIBA? There is no new liability for the OP.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Kind regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Axel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The above is more or less the same as what I wrote in a GSMA context email - There liability was raised.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces@lists.openid.net]
<b>On Behalf Of </b>Petteri Stenius<br>
<b>Sent:</b> Thursday, December 01, 2016 4:59 PM<br>
<b>To:</b> openid-specs-mobile-profile@lists.openid.net<br>
<b>Subject:</b> [Openid-specs-mobile-profile] Async authentication with polling and callback<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello everybody<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">At the Paris meeting in September there was some discussion about polling and callback mechanisms related to asynchronous functions.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These mechanisms exist in both UQ and SIBA draft specifications. Polling is also defined in OAuth Device Flow draft.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This proposal is an attempt to generalize async polling and callback mechanisms:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Define polling on the http level, not an application level function<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span style="font-family:Symbol">·</span><span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Callback is only a simple notification request, a client initiated request is required to fetch the actual content<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The two proposals work together, and make for example switching between polling and callback mechanisms very easy.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Petteri<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Polling defined on the http level<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Define mechanism with HTTP 303 redirect and Retry-After response header.<span style="font-size:10.0pt;font-family:"Segoe UI","sans-serif";color:black">
</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">303 redirect is used to define polling as sequence of http redirects the client follows until async operation completes and response appears.
<o:p></o:p></p>
<p class="MsoNormal">The client MUST wait time indicated by Retry-After header before following a redirect. Failing to do so would result in 503 Service Unavailable error (with Retry-After header).<o:p></o:p></p>
<p class="MsoNormal">Semantics is comparable to "Wait a moment, the response will soon appear at this location"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The server is allowed to implement "long polling" by holding a response up to 30 seconds (see
<a href="https://tools.ietf.org/html/rfc6202#section-5.5">https://tools.ietf.org/html/rfc6202#section-5.5</a>)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Example of polling sequence:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">1.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Client begins async operation<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">POST /begin-async-operation HTTP/1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">2.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Server response with 303 status indicates client must begin polling for response. Server encodes state into querystring of redirect uri<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HTTP/1.1 303 See Other<o:p></o:p></p>
<p class="MsoNormal">Location: /async-response?opaque-server-state-1<o:p></o:p></p>
<p class="MsoNormal">Retry-After: 10<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">3.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Client waits at least 10 seconds before following the redirect<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">GET /async-response?opaque-server-state-1 HTTP/1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">4.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Server response with new uri where querystring has changed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HTTP/1.1 303 See Other<o:p></o:p></p>
<p class="MsoNormal">Location: /async-response?opaque-server-state-2<o:p></o:p></p>
<p class="MsoNormal">Retry-After: 10<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">5.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Client again waits before following the redirect<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">GET /async-response?opaque-server-state-2 HTTP/1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">6.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Server response with content when async operation has completed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HTTP/1.1 200 OK<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">"completed"<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Callback is a simple notification request<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My proposal for callback mechanism is a simple notification request.
<o:p></o:p></p>
<p class="MsoNormal">Server encodes any state it needs into querystring of the notification request.
<o:p></o:p></p>
<p class="MsoNormal">For the client the querysring is opaque and the client must pass it as-is when fetching the actual content from the server.<o:p></o:p></p>
<p class="MsoNormal">Using a simple notification request removes the requirement for client to authenticate the callback request from server.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Example of callback sequence:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">1.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Client begins async operation<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">POST /begin-async-operation HTTP/1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">2.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Server response with 202 status indicates client needs to wait for callback<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HTTP/1.1 202 Accepted<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">3.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>When async operation completes server sends a notification request to client. Server encodes state into querystring of notification uri<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">GET /callback?opaque-server-state-3 HTTP/1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">4.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Client response is not processed by server<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HTTP/1.1 204 No Content<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">5.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Client creates request uri and fetches content from server<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">GET /async-response?opaque-server-state-3 HTTP/1.1<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;text-indent:-18.0pt">6.<span style="font-size:7.0pt;font-family:"Times New Roman","serif"">
</span>Server response with content<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HTTP/1.1 200 OK<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="FI">"completed"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FI"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="FI"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="FI"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="FI">Related discussion<o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="FI"><o:p> </o:p></span></p>
<p class="MsoNormal">[Openid-specs-mobile-profile] Async authentication<o:p></o:p></p>
<p class="MsoNormal"><span lang="FI"><a href="http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20161010/000615.html"><span lang="EN-US">http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20161010/000615.html</span></a></span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[OAUTH-WG] polling in the device flow<o:p></o:p></p>
<p class="MsoNormal"><a href="https://www.ietf.org/mail-archive/web/oauth/current/msg02939.html">https://www.ietf.org/mail-archive/web/oauth/current/msg02939.html</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">[OAUTH-WG] Device Flow: Alternative to Polling<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe UI","sans-serif";color:black"><a href="https://www.ietf.org/mail-archive/web/oauth/current/msg16723.html">https://www.ietf.org/mail-archive/web/oauth/current/msg16723.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>References<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OAuth 2.0 Device Flow<o:p></o:p></p>
<p class="MsoNormal"><a href="https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03">https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">HTTP/1.1 Semantics and Content<o:p></o:p></p>
<p class="MsoNormal"><a href="https://tools.ietf.org/html/rfc7231">https://tools.ietf.org/html/rfc7231</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Retry-After<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Segoe UI","sans-serif";color:black"><a href="https://tools.ietf.org/html/rfc7231#section-7.1.3">https://tools.ietf.org/html/rfc7231#section-7.1.3</a>
</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Practices for the Use of Long Polling<o:p></o:p></p>
<p class="MsoNormal"><a href="https://tools.ietf.org/html/rfc6202">https://tools.ietf.org/html/rfc6202</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>