Hi Thomas, I don¹t understand why there would be an issue regarding logging and auditing if there¹s no Request Token, as in Oauth 1.0.
An OAuth2 Auth Server can audit that the user approved the request when the user approves the request after the client redirects the browser to the End-User Endpoint (Section 3.2 in Draft 5). In most of the flows, the client the client is required to submit the verification code that the AS sent to the client¹s redirect_uri in order to get the Access Token to get the user¹s data. The AS can also audit/log when the access token was returned to the client. I think that Service Providers can log/audit 1. The user¹s approval of the request 2. The client¹s request for the Access Token 3. The client¹s use of the Access Token to fetch a Protected Resource I don¹t think that the removal of the Oauth 1.0 request token really affects logging/auditing perhaps I¹m missing something? Thanks Allen On 5/26/10 8:45 AM, "Thomas Hardjono" <[email protected]> wrote: > Allen, > > If the explicit action of the Client sending a Request Token > is removed, how does OAuth do logging and auditing? > > /thomas/ > > > > __________________________________________ > > > From: [email protected] [mailto:[email protected]] On Behalf Of > Allen Tom > Sent: Tuesday, May 25, 2010 10:17 PM > To: Murali VP; [email protected] > Subject: Re: [OAUTH-WG] OAuth 2.0 questions/suggestions (based on draft 2-05) > > Yes one of the design goals for Oauth-WRAP was to eliminate the request > token. > > It is very tricky for SPs to implement the Request Token due to data > replication issues. The Request token could be issued to the client in one > data center, and then immediately submitted by the browser to a different data > center. This means that the data has to be very quickly replicated. > > On the client side of things, if the AS¹s approval screen is displayed in a > popup window (like Facebook Connect) - it could be tricky to tricky for the > client to pre-fetch the request token before displaying the ³Connect² button > in order to get around popup blockers. > > Allen > > > On 5/25/10 1:43 PM, "Murali VP" <[email protected]> wrote: > > A relatively less important question: > > Since the request token has been eliminated, the web server flow (3.6) > which comes close to the widely adopted OAuth 1.0's 3-legged oauth > flow but without much of a dance isn't backward compatible, is this a > known decision? >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
