Am 21.04.2010 17:31, schrieb Evan Gilbert:


On Tue, Apr 20, 2010 at 10:29 PM, Torsten Lodderstedt <[email protected] <mailto:[email protected]>> wrote:

    Am 21.04.2010 02:45, schrieb Evan Gilbert:


    On Tue, Apr 20, 2010 at 12:57 PM, Torsten Lodderstedt
    <[email protected] <mailto:[email protected]>> wrote:

        Hi all,

        I would like to propose an additional variant of the Web
        Server Flow w/o the need for direct communication between
        client and authorization server in order to obtain authorized
        access/refresh tokens. Instead access and refresh tokens
        should directly be send back with the redirect to the client
        as it is the case in the User-Agent Flow.


    Question (and sorry if I'm being dense) - what is the delta
    between Web Server flow + verification_code=false and User-Agent
    flow?

    This is not a dense question :-)

    The User Agent Flow adds the data as URL fragment which is not
    passed to the web server (as far as I understand). My proposal
    adds this data as URL query parameters, which are passed to the
    web server by the user agent.


At one point we had tokens in query string for the User-Agent flow, but there were concerns about the security side. Query parameters are much more likely to leak in logs and in referrers.

It's not a lot of work to support this functionality with the existing User-Agent flow using a boilerplate response page. Page would:
1. Grab fragment
2. Make XMLHttpRequest with access token & refresh token to server, or POST a form
3. Redirect to destination page.

Would this work?

I think this would work but is IMHO somehow cumbersome and requires two requests to the service. Alternatively, the authorization server could directly respond with a HTML page containing a HTML form element with all response data. This form could automatically be submited to the service using JavaScript. This would be similar to OpenIds "HTML FORM Redirection".

regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to