[Openid-specs-ab] User Agent Flow
ritou.06 at gmail.com
Wed Jan 19 07:08:35 UTC 2011
This is an indirect-communication.
HTTP Status Code is not defined clearly.
The client directs the end-user to the constructed URI using an HTTP
redirection response, or by other means available to it via the
At (A), the method of the re-direct depends on implementation of Client,
but we can imagine easily that AuthZ Server directs user to callback URI
by HTTP Response of Web Server in (C).
So, I think that HTTP Status Code should be defined in (C).
of the fragment into Cookie.
Domain of cookie is following.
- Anywhere : api.twitter.com
- Facebook : Client's domain
Facebook's cookie is able to access by webserver.
Anywhere's impl needs to include 3rd party's JS.
What is the Best Practice of these processing?
2011/1/19 Nat Sakimura <sakimura at gmail.com>:
> I am starting the User-Agent Flow Binding. I have vague points in the
> OAuth User-Agent Flow though so some clarification is appreciated.
> The client sends the user-agent to the end-user authorization endpoint
> as described in Section 4. The client includes its client identifier,
> requested scope, local state, and a redirect URI to which the
> authorization server will send the end-user back once authorization is
> granted (or denied).
> ===> Is the client sending the request through HTTP redirect or is it
> just doing a GET? If it were HTTP redirect, would it be 32 or 303 or
> The authorization server authenticates the end-user (via the
> user-agent) and establishes whether the end-user grants or denies the
> client's access request.
> ===> How does the server show the consent screen if the client was
> just doing GET? Does this imply that it actually should have been
> redirecting in (A)?
> If the end-user granted access, the authorization server redirects the
> user-agent to the redirection URI provided earlier. The redirection
> URI includes the access token in the URI fragment.
> ===> Is it HTTP redirect? If so, which redirect code? (302, 303, 307)
> The user-agent follows the redirection instructions by making a
> request to the web server which does not include the fragment. The
> user-agent retains the fragment information locally.
> The web server returns a web page (typically an HTML page with an
> embedded script) capable of accessing the full redirection URI
> including the fragment retained by the user-agent, and extracting the
> access token (and other parameters) contained in the fragment.
> The user-agent executes the script provided by the web server locally,
> which extracts the access token and passes it to the client.
> ===> How does it passes to the client?
> Nat Sakimura (=nat)
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Email : ritou.06 at gmail.com
More information about the Openid-specs-ab