OAUTH2 User Agent via Window Post Message

Session topic: UserAgent flow based on Windows Post Message (W4A)

Convener: Breno de Medeiros

Notes-taker(s): Breno de Medeiros

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The section put forward the proposition that using javascript-bound transport mechanisms whenever possible (instead of network/HTTP) leads to an OAuth2 UserAgent profile that has better security, lower latency, and more powerful and flexible mechanisms to customize the user experience.

Participants generally agreed with the proposition to pursue javascript transport bindings for UserAgent in a speclet. (Revisiting OAuth2 core being the alternative option, which was not viewed positively.)

Specific feedback:

Backward compatibility:
 * Define the javascript binding so that it can be requested in combination with a syntactically valid HTTP-binding so that the client does not need to have logic to special case providers that support the JS-binding; non-JS-binding aware providers will ignore the extension parameters they don't understand and process the request as before in traditional HTTP-binding for UserAgent.
 * Define the JS-binding-aware provider behavior to be able to handle the multiple request by preferring the postmessage variant.
 * Have the JS libraries configured to handle either behavior automatically, with minimum configuration of an additional static servlet for providers that require a fixed pre-registered Uri, and very simple additional client side configuration to define the client.

Native app extension:
 * Allow the redirect URIs to be any scheme that can be securely managed as a javascript origin.
 * Extend the postmessage flow to native apps using custom URI schemes.

Provide open source javascript libraries and code samples for both server (provider) and client.

I was asked to provide a link to a forum for further discussion. I created a Google group where we can start this conversation until we have an umbrella WG in a receptive spec community. https://groups.google.com/forum/#!forum/oauth2-postmessage-profile