Hi owenm, I just wanna confirm what is the means of accessing protected resources? Does it only mean to fetch the data from service provider? Actually i just wanna ask can a consumer bce redirected to the member area pages in Serivice provider just with AccessToken.
On Tue, May 5, 2009 at 1:16 AM, Owen Evans <[email protected]> wrote: > Hi Simone, > 1) Yes in my experience you should be storing, on the SP side the link > between request token and consumer at the time when the request token is > generated. > > 2) this is up to you, all you're generating is a key to give access to > "some resource" how that key is secured, and if it gives only partial access > to the system should be dependant on what makes sense in your application. A > lot of services have a way of registering which resources the consumer will > need when registering for a consumer token. Google OAuth has ways of > specifying which "Systems" you want to have access to. > > 3) the SP needs to store as much information as is needed to create an > access token that gives access to the correct user so either you > pre-generate the access token and attach that to the user and the request > token or you attach the user to the request token and generate an access > token later (when the call to swap the request token for the access token > is received). These implementation details are left to you as there's no way > of telling you how your system could/should work. All you need to make sure > is that when I, as a consumer, swap my request token for an access token I > am given an access token that allows permission to get at the resources the > user allowed me access to. > > Cheers > Owen > > > 2009/5/4 Simone <[email protected]> > > >> Hi, I'm new in this group. I'm studing the OAuth protocol and there >> are some questions that I would make you in order to verify if I've >> well understood. I've read yet many post of this group about that >> questions, but I want join all togheter. >> >> I know that the Core 1.0 leave at the Service Provider the freedom of >> implement its role in the protocol, infact in the next questions I try >> to understand what hypothetically should happen. >> >> 1) Service Provider side, what happens immediately after that the >> Consumer makes a request for an unauthorized Request Token? The >> Service Provider creates a local entry in its database where there is >> the bind between the Request Token and the Consumer? Because in the >> next step the Consumer redirects the User to login at the Service >> Provider and the Service Provider shows at the User that there is a >> specific Consumer that want access at the resources, but how knows >> what is this specific Consumer? Then I suppose that the previous local >> entry can be useful in this step, because the Service Provider can >> search in its database the entry for the Request Token and find the >> correspondent Consumer. It's correct or happens something else in this >> step? >> >> 2) "By default", after the User is redirected by the Consumer to the >> Service Provider, if the User authorize the Consumer then the User >> grants the access at all its resources? "By default" in sense that, if >> I don't wrong, the Service Provider can also implements a way for >> grant a limited access, for example an only read access. >> >> 3) Service Provider side, what happens immediately after that the User >> grant access at the Consumer? The Service Provider creates a local >> entry in its database where there is the bind between the Request >> Token and the User, or between the User and the Consumer? Because when >> after the Consumer make a request for an Access Token, the Service >> Provider needs to knows what is the User involved, or not? >> >> >> Thanks to everybody :) >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
