On Tue, May 11, 2010 at 2:29 PM, Paul Madsen <[email protected]> wrote: > Hi Marius, I'm thinking the AS would create a 'dynamic' URI, embed it in a > QR code and add it to the response to the client (perhaps as you say in > addition to the raw URI & user code). There would be no user-code, as we > would no longer be constrained by the user's short-term memory for strings
I see, this would allow for a longer user code. Yes, an extension would be needed for this case. > If (as you describe) the client creates the QR code from the 'raw' URI and > user-code that the AS provided it, then there would need be sufficient OAuth > smarts on the phone to reconstruct the URI and code from the QR code the > client displayed The client can simply append the user code as a query parameter, so the phone still deals with just a URL. But I guess the authz server may or may not accept that (it could require a special param name for the code or POST only). > If, on the other hand, the AS creates the QR code from a URI it generates, > then the phone need only launch a browser to load that URI. Maybe we should start a thread about extensions. Sounds like a good topic for next week :-) Thanks for clarifying. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
