Actually we'd want to do that step after authentication and before authorization.
Hubert On Fri, Apr 24, 2009 at 3:41 PM, Hubert Le Van Gong <[email protected]> wrote: > Great discussion! > > If I'm correct we'd be OK if, during the authorization step, SP could get a > confirmation that the user whom has just authenticated is the same than > the one that triggered the 1st step at the Consumer (request token retrieval). > > How about something like: > > - Since in the std 3-legged scenario, the user logs in before the request for > the request token is performed, the Consumer could maintain a mapping > between the user's ID and the request token. > > - We could then add a "confirmation step" just after the authorization one > (before redirecting to the callback URL) where > the SP redirects the UA (along with the request token) to the Consumer > so that the latter can verify the mapping. If the user has an > existing authenticated > session (at the Consumer) then this can be transparent. If not the user > authenticates. In both case the Consumer can then check that the > current user corresponds to the one in its mapping table. > > I realize it requires an extra step but, lacking identity federation, that's > the > only thing I can think of... > > HTH > Hubert > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
