OAUTH2 User Agent via Window Post Message

From IIW

Session topic: UserAgent flow based on Windows Post Message (W4A)

Convener: Breno de Medeiros

Notes-taker(s): Breno de Medeiros

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The section put forward the proposition that using javascript-bound
transport mechanisms whenever possible (instead of network/HTTP) leads
to an OAuth2 UserAgent profile that has better security, lower
latency, and more powerful and flexible mechanisms to customize the
user experience.



Participants generally agreed with the proposition to pursue
javascript transport bindings for UserAgent in a speclet. (Revisiting
OAuth2 core being the alternative option, which was not viewed
positively.)



Specific feedback:



Backward compatibility:


  • Define the javascript binding so that it can be requested in
combination with a syntactically valid HTTP-binding so that the client
does not need to have logic to special case providers that support the
JS-binding; non-JS-binding aware providers will ignore the extension
parameters they don't understand and process the request as before in
traditional HTTP-binding for UserAgent.

  • Define the JS-binding-aware provider behavior to be able to handle
the multiple request by preferring the postmessage variant.

  • Have the JS libraries configured to handle either behavior
automatically, with minimum configuration of an additional static
servlet for providers that require a fixed pre-registered Uri, and
very simple additional client side configuration to define the client.




Native app extension:


  • Allow the redirect URIs to be any scheme that can be securely
managed as a javascript origin.

  • Extend the postmessage flow to native apps using custom URI schemes.




Provide open source javascript libraries and code samples for both
server (provider) and client.




I was asked to provide a link to a forum for further discussion. I
created a Google group where we can start this conversation until we
have an umbrella WG in a receptive spec community.
 https://groups.google.com/forum/#!forum/oauth2-postmessage-profile