jspωiki
Web Blog_blogentry_101017_1

2017-10-10#

Ran Across Today#

urn:ietf:wg:oauth:2.0:oob#

Date: Tue, Oct 10, 2017 at 11:02 AM Subject: Re: OAUTH-WG Questions on urn:ietf:wg:oauth:2.0:oob To: oauth <oauth@ietf.org>

urn:ietf:wg:oauth:2.0:oob is a Google thing that is not part of the OAuth 2.0 specification.

I think it was mostly a windows thing.

It is not a real redirect URI it is used as a flag to the Authorization sServer to have the result returned "Out Of Band" and the user cut and paste the token.

On Windows applications could snoop the title bars of other apps so programmatically retrieve the token value from the title bar.

I don’t really want to put effort into expanding all the reasons this is not secure.

I don’t honestly know what would happen if you sent that redirect URI to a non Google AS probably nothing good. It is not part of the OAuth specification and not something people should use without having a good reason and understanding the security implications.

William and I documented several ways to implement native applications on OSX and Windows in RFC 8252.

On windows you are really best off using a UWP app and the native token broker with the code flow.

Documentation https://developers.google.com/api-client-library/python/auth/installed-app

This value signals to the Google Authorization Server that the Authorization Code should be returned in the title bar of the browser, with the page text prompting the user to copy the code and paste it in the application. This is useful when the client (such as a Windows application) cannot listen on an HTTP port without significant client configuration.

When you use this value, your application can then detect that the page has loaded, and can read the title of the HTML page to obtain the Authorization Code. It is then up to your application to close the browser window if you want to ensure that the user never sees the page that contains the Authorization Code. The mechanism for doing this varies from platform to platform.

If your platform doesn't allow you to detect that the page has loaded or read the title of the page, you can have the user paste the code back to your application, as prompted by the text in the confirmation page that the OAuth 2.0 server generates.

John B.

More Information#

There might be more information for this subject on one of the following: ...nobody