Anders Pitman · Jan 21, 2020 · 6:47 PM UTC

Anders Pitman

Anders Pitman @anderspitman

21 Jan 2020

@aaronpk Thanks for all your very helpful OAuth materials, and especially for your IndieWeb work. Question: A lot of the complexity of OAuth seems to come from avoiding security issues with passing tokens in the address bar ("front channel"). 1/

Anders Pitman · Jan 21, 2020 · 6:47 PM UTC

Anders Pitman @anderspitman

21 Jan 2020

Why not open a new tab for interacting with the auth server, while simultaneously opening a back channel request in the original session? Once the user has authenticated/authorized from the new tab, the back channel request would resolve. 2/

Aaron Parecki · Jan 21, 2020 · 7:05 PM UTC

Aaron Parecki @aaronpk

21 Jan 2020

That's basically what the Device Flow is, except manual. You certainly could do that. I suspect it would be fragile at best though, and wouldn't work well in mobile browsers.

Anders Pitman · Jan 21, 2020 · 11:01 PM UTC

Anders Pitman @anderspitman

21 Jan 2020

That's interesting. After a quick review, it does seem pretty similar. Why the timeout polling instead of long polling? Does the spec dictate what back-channel you send the user to?

Aaron Parecki · Jan 21, 2020 · 11:58 PM UTC

Aaron Parecki · Jan 21, 2020 · 11:58 PM UTC

Aaron Parecki @aaronpk

21 Jan 2020

Replying to @anderspitman

The spec has a way the AS can provide a URL that the user should visit to the app. So the app has to get the user to that URL somehow, doesn't matter how, and doesn't matter what that URL is.

Jan 21, 2020 · 11:58 PM UTC

Anders Pitman · Jan 22, 2020 · 1:02 AM UTC

Anders Pitman @anderspitman

22 Jan 2020

Replying to @aaronpk

Cool, thanks for the help!