[Openid-specs-native-apps] Returning a second Code
John Bradley
ve7jtb at ve7jtb.com
Wed Nov 26 22:48:31 UTC 2014
At the F2F meetings Google stated that there is a use case to return a OAuth Code / or something like it to the client so that it could be passed to the client’s back end to later have it exchanged for a AT/RT.
The logic is that the code for the backend would be to a confidential client and may have additional scopes beyond what the native app has access to.
This is likely useful outside the strict scope of NAPPS so should probably start life as a separate document if we want to take this on.
If we are using a native TA with code then we also have to consider how we get a code based on a refresh token, or use the authorization endpoint each time.
In https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution> we have added a token_type to the token_endpoint request. (that lets a client specify that it wants a Proof of possession token dynamically)
In the same spec we also add audience “aud” to the request.
We could extend that to define a code token type that returns a code for a aud, as a fairly generic method.
The missing part would be to add the SPOP code_challange to the token_endpoint request.
This also has the side benefit of letting the native app and the backend server use https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution> when exchanging code to establish a key for POP tokens.
I think the same method would also work for id_tokens as well rather than trying to overload a scope value.
So I guess the extension to the token endpoint for returning code and/or id_tokens could be one or two specs, but there is a lot of overlap so perhaps one to start?
Thoughts.
John B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20141126/96ad4a2c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20141126/96ad4a2c/attachment.p7s>
More information about the Openid-specs-native-apps
mailing list