In February, I have posted an article about oauth_wrap mobile webapp profile.
Now that it is unified to OAuth 2.0 drafts, here is another shot:

I have further simplified the flow by talking to Breno and John.

Here it is:

(Fig. XX)
How is that?!

The major difference between Web App Profile is that it creates a request file that captures all the parameters in JSON format at “request_url”. Then, instead of sending parameters over the redirect, it sends this “request_url” over the redirect. The rest is more or less the same.

Here is a suggested text:

3.11 Mobile Web App Flow

The moble web app flow is a user delegation flow suitable for clients
capable of interacting with the end-user’s user-agent (typically a
web browser) that are capability constrained especially for url length
and capable of receiving incoming requests from the
authorization server (capable of acting as an HTTP server).

The mobile web app flow illustrated in figure XX includes following steps.

1. The web client creates a request file at a URL “request_url” that captures
   all the parameters that it would like to send to the Authorization
   Server including client identifier
   and a redirect URI to which the authorization server will send
   the end-user back once authorization is received (or denied).
2. The web client initiates the flow by redirecting the end-user’s
   user-agent to the end-user endpoint with rul.
3. The Authorization server obtains parameters by accessing request_url.
4. The authorization server authenticates the end-user (via the
   user-agent) and establishes whether the end-user grants or
   denies the client’s access request.
5. Assuming the end-user granted access, the authorization server
   redirects the user-agent back to the client to the redirection
   URI provided earlier. The authorization includes a verification
   code for the client to use to obtain an access token.
6. The client requests an access token from the authorization
   server by including its client credentials (identifier and
   secret), as well as the verification code received in the
   previous step.
7. The authorization server validates the client credentials and
   the verification code and responds back with the access token.

3.11.1 Client Prepares a Request file at request_url

Clients creates and saves the parameters in 3.6.1 at request_url.
This file can be used many times, so it does not need to be done
every time.

3.11.2 Client Requests Authorization

In order for the end-user to grant the client access, the client
sends the end-user to the authorization server. The client
constructs the request URI by adding the following URI query
parameters to the end-user endpoint URI:

request_url

Request file url from which the Authorization Server may
obtain the request parameters.

immediate

OPTIONAL. The parameter value must be set to “true” or
“false”. If set to “true”, the authorization server MUST NOT
prompt the end-user to authenticate or approve access.
Instead, the authorization server attempts to establish the
end-user’s identity via other means (e.g. browser cookies) and
checks if the end-user has previously approved an identical
access request by the same client and if that access grant is
still active. If the authorization server does not support an
immediate check or if it is unable to establish the end-user’s
identity or approval status, it MUST deny the request without
prompting the end-user. Defaults to “false” if omitted

The client directs the end-user to the constructed URI using an HTTP
redirection response, or by other means available to it via the end-
user’s user-agent. The request MUST use the HTTP “GET” method.

For example, the client directs the end-user’s user-agent to make the
following HTTPS requests (line breaks are for display purposes only):

GET /authorize?request_url=hhttps%3A%2F%2Fclient%2Eexample%2Ecom HTTP/1.1
Host: server.example.com

If the client has previously registered a redirection URI with the
authorization server, the authorization server MUST verify that the
redirection URI received matches the registered URI associated with
the client identifier.

The authorization server authenticates the end-user and obtains an
authorization decision (by asking the end-user or establishing
approval via other means). The authorization server sends the end-
user’s user-agent to the provided client redirection URI using an
HTTP redirection response, or by other means available to it via the
end-user’s user-agent.

3.11.1.1. End-user Grants Authorization

Refer to 3.6.1.1.

3.11.1.2 End-user Denis Authorization

Refer to 3.6.1.2

3.11.2. Client Requests Access Token

The client obtains an access token from the authorization server by
making an HTTPS request to the token endpoint. The client
constructs a request URI by adding the following parameters to the
request:

client_id

REQUIRED. The client identifier as described in Section 3.1.

client_secret

REQUIRED if the client identifier has a matching secret. The
client secret as described in Section 3.1. If it is used, the
request method MUST be “POST”.

code

REQUIRED. The verification code received from the
authorization server.

secret_type

PTIONAL. The access token secret type as described by
Section 5.3. If omitted, the authorization server will issue a
bearer token (an access token without a matching secret) as
described by Section 5.2.

The authorization server MUST verify that the verification code,
client identity, client secret, and redirection URI are all valid and
match its stored association. If the request is valid, the
authorization server issues a successful response as described in
Section 3.3.2.1.

If the request is invalid, the authorization server returns an error
response as described in Section 3.3.2.2 with one of the following
error codes:

o “redirect_uri_mismatch”

o “bad_verification_code”

o “incorrect_client_credentials”

---

Changes

• (2010-05-27) s/rurl/request_url/g

So, when the sun rises, it is the 10th IIW day.

I hoped to prepare more, but with the current ill-health, this probably is the most I could.

Here is the new version of OpenID Artifact Binding (AB) .

Repository: http://bitbucket.org/openid/ab/

Browser Friendly Cache: HERE

For those of you who do not know, OpenID/AB is a chartered Working Group at the OpenID Foundation, and aims to create another binding for OpenID, so that it is

1. More Secure so that it can go all the way up.
2. Browser URL length limit friendly.

In addition, we have been targeting to make it

1. Very easy to write libraries, only with standard libraries
2. Very easy to implement for RP. For lower assurance RPs, it should be just a matter of pasting a javascript snippet, and a link.
3. Highly scalable: Completely stateless so that it can scale

I think the goal has been achieved as of draft 06.

It is using OAuth2.0 as the base protocol, and is building identity layer on top of it. Unlike David’s OpenID Connect straw man, it is not overloading the access token of OAuth2.0, so we can use that as OAuth token even for this OpenID flow.

I have implemented it myself (not being a professional programmer, it took more time than it should - besides, it was the first time for me to write anything in Javascript, and how-do-I-debug it???) in couple of days, in Javascript and PHP.

The size of the code shows how easy it is.

OP (PHP): 251 lines including debug codes and comments, as well as HTML.
RP (PHP): 109 lines including debug codes and comments, as well as HTML.
Magic Signatures Library: 83 lines including documentation.
AES Encryption Library (wrapper): 30 lines.

So, in total, it is 373 lines including documentation and debug codes.

AND: it supports asymmetric signature for non-repudiation, completely stateless OP, and my (proprietary version of) attribute exchange.

You can test drive them here: TEST DRIVE

Nice thing about what I did here for the attribute exchange is that the relying party can ask what combination so ever that the RP wishes of any of the attributes supported by the user. It is just a matter of making a “Request Parameter File”, which looks like this.

{
“ns”:"http://specs.openid.net/auth/2.0″,
“mode”:"direct_checkid_setup”,
“client_id”:"http://rp.tonescape.net/”,
“claimed_id”:"http://specs.openid.net/auth/2.0/identifier_select”,
“identifier”:"http://specs.openid.net/auth/2.0/identifier_select”,
“redirect_url”:"https://openid4.us/rp/rp.php”,
“atype”:"openid2json+sig”,
“ns:ax”:"http://openid.net/srv/ax/1.0″,
“ax:mode”:"fetch_request”,
“ax:avatar”:"”,
“ax:nickname”:"”,
“ax:lastname”:"”,
“ax:firstname”:"”,
“ax:gender”:"”,
“ax:birthyear”:"”
}

By change the “ax:lastname” to “ax:lastname#ja_Hani_JP”, I can get her Kanji name as well. It is that simple.

Not only that, you can push the write the attributes as well.
Just change “fetch_request” to “store_request”, and provide values to the attributes.

I have not implemented the following features yet, but should not take too much time.

• immediate: it should add only a few lines of code…
• payload encryption: Now that the encryption lib is done, it should be simple

Perhaps you can help .