[Openid-specs-ab] User Agent Flow

Nat Sakimura sakimura at gmail.com
Wed Jan 19 03:07:31 UTC 2011


Hi.
I am starting the User-Agent Flow Binding. I have vague points in the
OAuth User-Agent Flow though so some clarification is appreciated.

(A)
The client sends the user-agent to the end-user authorization endpoint
as described in Section 4. The client includes its client identifier,
requested scope, local state, and a redirect URI to which the
authorization server will send the end-user back once authorization is
granted (or denied).

===> Is the client sending the request through HTTP redirect or is it
just doing a GET? If it were HTTP redirect, would it be 32 or 303 or
307?

(B)
The authorization server authenticates the end-user (via the
user-agent) and establishes whether the end-user grants or denies the
client's access request.

===> How does the server show the consent screen if the client was
just doing GET? Does this imply that it actually should have been
redirecting in (A)?


(C)
If the end-user granted access, the authorization server redirects the
user-agent to the redirection URI provided earlier. The redirection
URI includes the access token in the URI fragment.

===> Is it HTTP redirect?  If so, which redirect code? (302, 303, 307)


(D)
The user-agent follows the redirection instructions by making a
request to the web server which does not include the fragment. The
user-agent retains the fragment information locally.


(E)
The web server returns a web page (typically an HTML page with an
embedded script) capable of accessing the full redirection URI
including the fragment retained by the user-agent, and extracting the
access token (and other parameters) contained in the fragment.


(F)
The user-agent executes the script provided by the web server locally,
which extracts the access token and passes it to the client.

===> How does it passes to the client?

--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en


More information about the Openid-specs-ab mailing list