OAuth Wrap Mobile Web App Profile?

The wrap_scope, especially when it is determined dynamically using standard vocabulary such as something similar to OpenID AX, can become quite big. Under such circumstances, we may hit the browser/server constraint on URL and HTTP header. This is more acute in the mobile scenario.

Lucky thing is that it is trivial to create an Mobile friendly profile / binding of OAuth Wrap, since it is almost done. It suffices just to introduce a request artifact.

Here is the flow:

(fig.1) Wrap Mobile Web Profile

Of course, details need to be nailed down, but the basic flow should be it.

People may criticize that it introduce state in the AuthzServer. It may, but it is not necessarily so. Since the AuthzServer knows what it can serve, it has constrained set of scope and may well be able to encode it into an Artifact, so that it does not need to keep the state.


(Feb 12) Fixed typo in the figure.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.