[Openid-specs-ab] User Agent Flow

Ryo Ito ritou.06 at gmail.com
Wed Jan 19 07:08:35 UTC 2011

Hi Nat.


This is an indirect-communication.
HTTP Status Code is not defined clearly.

Spec :
The client directs the end-user to the constructed URI using an HTTP
redirection response, or by other means available to it via the
end-user's user-agent.


At (A), the method of the re-direct depends on implementation of Client,
but we can imagine easily that AuthZ Server directs user to callback URI
by HTTP Response of Web Server in (C).

So, I think that HTTP Status Code should be defined in (C).


In Twitter @Anywhere and Facebook, the JavaScript converts the value
of the fragment into Cookie.

Domain of cookie is following.
- Anywhere : api.twitter.com
- Facebook : Client's domain

Facebook's cookie is able to access by webserver.
Anywhere's impl needs to include 3rd party's JS.

What is the Best Practice of these processing?


2011/1/19 Nat Sakimura <sakimura at gmail.com>:
> Hi.
> I am starting the User-Agent Flow Binding. I have vague points in the
> OAuth User-Agent Flow though so some clarification is appreciated.
> (A)
> The client sends the user-agent to the end-user authorization endpoint
> as described in Section 4. The client includes its client identifier,
> requested scope, local state, and a redirect URI to which the
> authorization server will send the end-user back once authorization is
> granted (or denied).
> ===> Is the client sending the request through HTTP redirect or is it
> just doing a GET? If it were HTTP redirect, would it be 32 or 303 or
> 307?
> (B)
> The authorization server authenticates the end-user (via the
> user-agent) and establishes whether the end-user grants or denies the
> client's access request.
> ===> How does the server show the consent screen if the client was
> just doing GET? Does this imply that it actually should have been
> redirecting in (A)?
> (C)
> If the end-user granted access, the authorization server redirects the
> user-agent to the redirection URI provided earlier. The redirection
> URI includes the access token in the URI fragment.
> ===> Is it HTTP redirect?  If so, which redirect code? (302, 303, 307)
> (D)
> The user-agent follows the redirection instructions by making a
> request to the web server which does not include the fragment. The
> user-agent retains the fragment information locally.
> (E)
> The web server returns a web page (typically an HTML page with an
> embedded script) capable of accessing the full redirection URI
> including the fragment retained by the user-agent, and extracting the
> access token (and other parameters) contained in the fragment.
> (F)
> The user-agent executes the script provided by the web server locally,
> which extracts the access token and passes it to the client.
> ===> How does it passes to the client?
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Ryo Ito
Email : ritou.06 at gmail.com

More information about the Openid-specs-ab mailing list