<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi,<br>
</p>
<br>
<div class="moz-cite-prefix">Am 05.12.2016 um 13:18 schrieb Petteri
Stenius:<br>
</div>
<blockquote
cite="mid:DB6PR0501MB244021BC6DC61762B209D59EFA830@DB6PR0501MB2440.eurprd05.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 2.0cm 70.85pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1122311551;
mso-list-type:hybrid;
mso-list-template-ids:296897752 -1919230598 67829763 67829765 67829761 67829763 67829765 67829761 67829763 67829765;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1409570751;
mso-list-type:hybrid;
mso-list-template-ids:-1651504448 67829775 67829785 67829787 67829775 67829785 67829787 67829775 67829785 67829787;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:90.0pt;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:198.0pt;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:234.0pt;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:306.0pt;
text-indent:-9.0pt;}
@list l2
{mso-list-id:1658879088;
mso-list-type:hybrid;
mso-list-template-ids:-836598436 67829775 67829785 67829787 67829775 67829785 67829787 67829775 67829785 67829787;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:54.0pt;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:90.0pt;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:162.0pt;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:198.0pt;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:234.0pt;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:270.0pt;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:306.0pt;
text-indent:-9.0pt;}
@list l3
{mso-list-id:1776898365;
mso-list-type:hybrid;
mso-list-template-ids:-1242775990 -699078064 67829763 67829765 67829761 67829763 67829765 67829761 67829763 67829765;}
@list l3:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">Hi,<o:p></o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">Registration of endpoints is an application
level issue, not part of the generalized http level
mechanism.</span></p>
</div>
</blockquote>
<br>
but it somehow intervenes with the generic http level mechanism, so
the generic http part is not self-explanatory.<br>
<br>
<blockquote
cite="mid:DB6PR0501MB244021BC6DC61762B209D59EFA830@DB6PR0501MB2440.eurprd05.prod.outlook.com"
type="cite">
<div class="WordSection1">
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p></o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">With OAuth/OIDC we should follow the convention
of registering endpoints with client registration
and provider metadata.<o:p></o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">The UQ draft defines a new client registration
value “client_notification_endpoint” for the callback, but
would it not be possible to use “redirect_uris” for this
purpose?</span></p>
</div>
</blockquote>
<br>
Do you think this is a good idea to mix the two different modes? The
rules for processing a conventional redirect (XSRF, referrer header,
session state/cookies) are different from receiving a server2server
callback (e.g. IP address black/whitelisting). I would prefer to
keep them separate.<br>
<br>
<blockquote
cite="mid:DB6PR0501MB244021BC6DC61762B209D59EFA830@DB6PR0501MB2440.eurprd05.prod.outlook.com"
type="cite">
<div class="WordSection1">
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p></o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">The client callback endpoint is an entry in the
redirect_uris array of client registration metadata. With a
parameter of the request that starts async authentication
client indicates at which of the registered endpoints it
wishes to receive the async callback. This is comparable to
authorization code request.<o:p></o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US"><o:p> </o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black">Petteri<o:p></o:p></span></p>
<p><span
style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
best regards,<br>
Torsten.<br>
<blockquote
cite="mid:DB6PR0501MB244021BC6DC61762B209D59EFA830@DB6PR0501MB2440.eurprd05.prod.outlook.com"
type="cite">
<div class="WordSection1">
<p><span
style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span
style="color:black">
<hr align="center" size="2" width="98%">
</span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black" lang="EN-US">From:</span></b><span
style="color:black" lang="EN-US"> Torsten Lodderstedt
<a class="moz-txt-link-rfc2396E" href="mailto:torsten@lodderstedt.net"><torsten@lodderstedt.net></a><br>
<b>Sent:</b> Saturday, December 3, 2016 10:50:10 AM<br>
<b>To:</b> Petteri Stenius<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-mobile-profile] Async
authentication with polling and callback
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US">Hi
Petteri,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US">thanks
for your proposal.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US">One
question popped up when I read the sequence for the
callback case: how does the server know where to send
the callback in step 3?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US">best
regards,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black" lang="EN-US">Torsten.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="color:black" lang="EN-US"><br>
Am 01.12.2016 um 16:58 schrieb Petteri Stenius <</span><span
style="color:black"><a moz-do-not-send="true"
href="mailto:Petteri.Stenius@ubisecure.com"><span
lang="EN-US">Petteri.Stenius@ubisecure.com</span></a></span><span
style="color:black" lang="EN-US">>:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Hello everybody<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">At the Paris meeting in September there
was some discussion about polling and callback
mechanisms related to asynchronous functions.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">These mechanisms exist in both UQ and
SIBA draft specifications. Polling is also defined in
OAuth Device Flow draft.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">This proposal is an attempt to generalize
async polling and callback mechanisms:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l3 level1 lfo2"><!--[if !supportLists]--><span
style="font-family:Symbol;color:black" lang="EN-US"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Define polling on the
http level, not an application level function<o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l3 level1 lfo2"><!--[if !supportLists]--><span
style="font-family:Symbol;color:black" lang="EN-US"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Callback is only a
simple notification request, a client initiated
request is required to fetch the actual content<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">The two proposals work together, and make
for example switching between polling and callback
mechanisms very easy.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Petteri<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="color:black"
lang="EN-US">Polling defined on the http level</span></b><span
style="color:black" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Define mechanism with HTTP 303 redirect
and Retry-After response header.</span><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black" lang="EN-US">
</span><span style="color:black" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">303 redirect is used to define polling as
sequence of http redirects the client follows until
async operation completes and response appears.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">The client MUST wait time indicated by
Retry-After header before following a redirect.
Failing to do so would result in 503 Service
Unavailable error (with Retry-After header).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Semantics is comparable to "Wait a
moment, the response will soon appear at this
location"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">The server is allowed to implement "long
polling" by holding a response up to 30 seconds (see
<a moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc6202#section-5.5">https://tools.ietf.org/html/rfc6202#section-5.5</a>)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Example of polling sequence:</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l2
level1 lfo4">
<!--[if !supportLists]--><span style="color:black"><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Client begins async
operation</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">POST /begin-async-operation HTTP/1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l2
level1 lfo4">
<!--[if !supportLists]--><span style="color:black"><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Server response with
303 status indicates client must begin polling for
response. Server encodes state into querystring of
redirect uri</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">HTTP/1.1 303 See Other</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Location:
/async-response?opaque-server-state-1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Retry-After: 10</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l2
level1 lfo4">
<!--[if !supportLists]--><span style="color:black"
lang="EN-US"><span style="mso-list:Ignore">3.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Client waits at least
10 seconds before following the redirect<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">GET /async-response?opaque-server-state-1
HTTP/1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l2
level1 lfo4">
<!--[if !supportLists]--><span style="color:black"
lang="EN-US"><span style="mso-list:Ignore">4.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Server response with
new uri where querystring has changed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">HTTP/1.1 303 See Other<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Location:
/async-response?opaque-server-state-2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Retry-After: 10</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l2
level1 lfo4">
<!--[if !supportLists]--><span style="color:black"
lang="EN-US"><span style="mso-list:Ignore">5.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Client again waits
before following the redirect<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">GET /async-response?opaque-server-state-2
HTTP/1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l2
level1 lfo4">
<!--[if !supportLists]--><span style="color:black"
lang="EN-US"><span style="mso-list:Ignore">6.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Server response with
content when async operation has completed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">HTTP/1.1 200 OK<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">"completed"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="color:black"
lang="EN-US">Callback is a simple notification
request</span></b><span style="color:black"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">My proposal for callback mechanism is a
simple notification request.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Server encodes any state it needs into
querystring of the notification request.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">For the client the querysring is opaque
and the client must pass it as-is when fetching the
actual content from the server.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Using a simple notification request
removes the requirement for client to authenticate the
callback request from server.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Example of callback sequence:</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo6">
<!--[if !supportLists]--><span style="color:black"><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Client begins async
operation</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">POST /begin-async-operation HTTP/1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo6">
<!--[if !supportLists]--><span style="color:black"
lang="EN-US"><span style="mso-list:Ignore">2.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Server response with
202 status indicates client needs to wait for callback<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">HTTP/1.1 202 Accepted</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo6">
<!--[if !supportLists]--><span style="color:black"><span
style="mso-list:Ignore">3.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">When async operation
completes server sends a notification request to
client. Server encodes state into querystring of
notification uri</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">GET /callback?opaque-server-state-3
HTTP/1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo6">
<!--[if !supportLists]--><span style="color:black"
lang="EN-US"><span style="mso-list:Ignore">4.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Client response is
not processed by server<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">HTTP/1.1 204 No Content</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo6">
<!--[if !supportLists]--><span style="color:black"
lang="EN-US"><span style="mso-list:Ignore">5.<span
style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Client creates
request uri and fetches content from server<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">GET /async-response?opaque-server-state-3
HTTP/1.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:18.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo6">
<!--[if !supportLists]--><span style="color:black"><span
style="mso-list:Ignore">6.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="color:black" lang="EN-US">Server response with
content</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">HTTP/1.1 200 OK</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">"completed"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="color:black">Related
discussion</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">[Openid-specs-mobile-profile] Async
authentication<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><a
moz-do-not-send="true"
href="http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20161010/000615.html"><span
lang="EN-US">http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20161010/000615.html</span></a></span><span
style="color:black" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">[OAUTH-WG] polling in the device flow<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><a moz-do-not-send="true"
href="https://www.ietf.org/mail-archive/web/oauth/current/msg02939.html">https://www.ietf.org/mail-archive/web/oauth/current/msg02939.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">[OAUTH-WG] Device Flow: Alternative to
Polling<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black" lang="EN-US"><a
moz-do-not-send="true"
href="https://www.ietf.org/mail-archive/web/oauth/current/msg16723.html">https://www.ietf.org/mail-archive/web/oauth/current/msg16723.html</a></span><span
style="color:black" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="color:black"
lang="EN-US">References</span></b><span
style="color:black" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">OAuth 2.0 Device Flow<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><a moz-do-not-send="true"
href="https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03">https://tools.ietf.org/html/draft-ietf-oauth-device-flow-03</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">HTTP/1.1 Semantics and Content<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><a moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc7231">https://tools.ietf.org/html/rfc7231</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Retry-After<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black" lang="EN-US"><a
moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc7231#section-7.1.3">https://tools.ietf.org/html/rfc7231#section-7.1.3</a>
</span><span style="color:black" lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Best Practices for the Use of Long
Polling<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"><a moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc6202">https://tools.ietf.org/html/rfc6202</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> <o:p></o:p></span></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:black;mso-fareast-language:FI"
lang="EN-US">_______________________________________________<br>
Openid-specs-mobile-profile mailing list<br>
</span><span
style="font-size:12.0pt;color:black;mso-fareast-language:FI"><a
moz-do-not-send="true"
href="mailto:Openid-specs-mobile-profile@lists.openid.net"><span
lang="EN-US">Openid-specs-mobile-profile@lists.openid.net</span></a></span><span
style="font-size:12.0pt;color:black;mso-fareast-language:FI"
lang="EN-US"><br>
</span><span
style="font-size:12.0pt;color:black;mso-fareast-language:FI"><a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile"><span
lang="EN-US">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</span></a></span><span
style="font-size:12.0pt;color:black;mso-fareast-language:FI"
lang="EN-US"><o:p></o:p></span></p>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>