consider adding Resource Owner Password Credentials Grant flow

[michielbdejong]

http://tools.ietf.org/html/rfc6749#section-4.3 This might be useful for desktop and device-native apps. It would open up the way for adding remoteStorage support to https://github.com/owncloud/android-library and https://github.com/cozy/cozy-mobile

[michielbdejong]

Maybe next time

[michielbdejong]

Maybe next time. In any case, servers can give the option to generate a bearer token for people who want to configure automated scripts without interactive GUI, where implicit grant cannot be used.

[raucao]

Also, I'd like to see PIN flow before password flow, so that apps never see a (much more powerful) account password. :)

[untitaker]

Do we really want this in draft-07? Proposing "maybe one day" milestone.

[raucao]

We actually support redirect flow in Cordova in remotestorage.js these days (which would cover the Cozy app it seems), and ownCloud can do the same using an in-app browser window. Revealing your account password to apps is not really required for auth in native/mobile apps.

[untitaker]

Then I suppose we agree?

BTW having a "whenever" milestone is IMO semantically equivalent to not having any milestone.

On Sat, May 28, 2016 at 07:11:23AM -0700, Sebastian Kippe wrote:

We actually support redirect flow in Cordova in rs.js these days (which would cover the Cozy app it seems), and ownCloud can do the same using an in-app browser window. Revealing your account password to apps is not really required for auth in native/mobile apps.

---

You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/remotestorage/spec/issues/83#issuecomment-222310541

[raucao]

Yes. I tried to signal agreement via the thumbs-up on your comment.

[raucao]

Proposing to close this issue for now, because afaics nobody could bring a strong enough argument for why redirect flow isn't enough. WDYT?