[Openid-specs-ab] User Agent Flow
sakimura at gmail.com
Wed Jan 19 03:07:31 UTC 2011
I am starting the User-Agent Flow Binding. I have vague points in the
OAuth User-Agent Flow though so some clarification is appreciated.
The client sends the user-agent to the end-user authorization endpoint
as described in Section 4. The client includes its client identifier,
requested scope, local state, and a redirect URI to which the
authorization server will send the end-user back once authorization is
granted (or denied).
===> Is the client sending the request through HTTP redirect or is it
just doing a GET? If it were HTTP redirect, would it be 32 or 303 or
The authorization server authenticates the end-user (via the
user-agent) and establishes whether the end-user grants or denies the
client's access request.
===> How does the server show the consent screen if the client was
just doing GET? Does this imply that it actually should have been
redirecting in (A)?
If the end-user granted access, the authorization server redirects the
user-agent to the redirection URI provided earlier. The redirection
URI includes the access token in the URI fragment.
===> Is it HTTP redirect? If so, which redirect code? (302, 303, 307)
The user-agent follows the redirection instructions by making a
request to the web server which does not include the fragment. The
user-agent retains the fragment information locally.
The web server returns a web page (typically an HTML page with an
embedded script) capable of accessing the full redirection URI
including the fragment retained by the user-agent, and extracting the
access token (and other parameters) contained in the fragment.
The user-agent executes the script provided by the web server locally,
which extracts the access token and passes it to the client.
===> How does it passes to the client?
Nat Sakimura (=nat)
More information about the Openid-specs-ab