[Openid-specs-ab] User Agent Flow

Nat Sakimura sakimura at gmail.com
Wed Jan 19 03:07:31 UTC 2011

I am starting the User-Agent Flow Binding. I have vague points in the
OAuth User-Agent Flow though so some clarification is appreciated.

The client sends the user-agent to the end-user authorization endpoint
as described in Section 4. The client includes its client identifier,
requested scope, local state, and a redirect URI to which the
authorization server will send the end-user back once authorization is
granted (or denied).

===> Is the client sending the request through HTTP redirect or is it
just doing a GET? If it were HTTP redirect, would it be 32 or 303 or

The authorization server authenticates the end-user (via the
user-agent) and establishes whether the end-user grants or denies the
client's access request.

===> How does the server show the consent screen if the client was
just doing GET? Does this imply that it actually should have been
redirecting in (A)?

If the end-user granted access, the authorization server redirects the
user-agent to the redirection URI provided earlier. The redirection
URI includes the access token in the URI fragment.

===> Is it HTTP redirect?  If so, which redirect code? (302, 303, 307)

The user-agent follows the redirection instructions by making a
request to the web server which does not include the fragment. The
user-agent retains the fragment information locally.

The web server returns a web page (typically an HTML page with an
embedded script) capable of accessing the full redirection URI
including the fragment retained by the user-agent, and extracting the
access token (and other parameters) contained in the fragment.

The user-agent executes the script provided by the web server locally,
which extracts the access token and passes it to the client.

===> How does it passes to the client?

Nat Sakimura (=nat)

More information about the Openid-specs-ab mailing list