I have proposals for two additional workflows for Oz: the "User Credentials Workflow" and the "Implicit Workflow". These proposed workflows would address stateless user authentication, which is something that many people who are interested in Oz are looking for. However, the current Oz workflow is meant to be used for third-party application authorization, not user authentication.

Here is a summary of the workflows, including the proposed workflows:

• RSVP Workflow — The name I give to the Oz workflow, because it would be the only workflow that utilizes an RSVP. This workflow is intended to be used only for third-party application authorization.

• User Credentials Workflow — (Proposed Workflow) Intended to be used for user authentication. The application is registered with the server. The application receives the user's credentials (e.g. username and password) directly from the user and sends them to the server to get a user ticket.
  Link: User Credentials Workflow proposal document

• Implicit (Mobile) Workflow — (Proposed Workflow) Intended to be used for user authentication. The application is NOT registered with the server. The application receives the user's credentials (e.g. username and password) directly from the user and sends them to the server to get a user ticket. This would be the only workflow that mobile apps and JavaScript apps would be able to implement easily (without WebViews or an external web browser) because they cannot keep an application secret key.
  Link: Implicit Workflow proposal document

The proposal documents for the new workflows are not intended to be protocol specifications. They are just overviews, suggestions, and explanations of what I am proposing.

For those familiar with OAuth 2.0, the following table shows the comparable Oz workflow (including the proposed workflows) to each OAuth 2.0 workflow. These are not exact comparisons, but there are enough similarities in things such as general workflow and purpose.

To implement the proposed flows, an /oz/user endpoint (which is similar to /oz/rsvp) would need to be added to the Oz.endpoints code (Oz.endpoints.user); other code should be able to be left as is. This would make the implementation of the proposed workflows backward-compatible with the current version of Oz.

I was going to implement the User Credentials Workflow and the Implicit Workflow in my own package separately, but I thought it would be better if these workflows were officially incorporated Oz. So, before anything is implemented, I would like to discuss the proposed workflows with the community and get feedback.