Am 21.04.2010 02:45, schrieb Evan Gilbert:


On Tue, Apr 20, 2010 at 12:57 PM, Torsten Lodderstedt <[email protected] <mailto:[email protected]>> wrote:

    Hi all,

    I would like to propose an additional variant of the Web Server
    Flow w/o the need for direct communication between client and
    authorization server in order to obtain authorized access/refresh
    tokens. Instead access and refresh tokens should directly be send
    back with the redirect to the client as it is the case in the
    User-Agent Flow.


Question (and sorry if I'm being dense) - what is the delta between Web Server flow + verification_code=false and User-Agent flow?

This is not a dense question :-)

The User Agent Flow adds the data as URL fragment which is not passed to the web server (as far as I understand). My proposal adds this data as URL query parameters, which are passed to the web server by the user agent.

I think the delta is small in terms of specification but the benefit for large-scale OAuth 2.0 deployments would be significant.

regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to