As of -10, the Authorization Request Parameters are required to be
passed as part of the Authorization Request URI query component.
I would like to see it relaxed a bit so that they do not have to be a
part of the URL but can be passed by reference.
In the proposal that I have submit a while ago, I proposed to have
1) The parameters to be captured in JSON that can be obtained through a URL
2) Pass this URL to the end-user authorization endpoint through a
parameter 'request_url'
I have enumerated numerous merit of this approach and I believe we had
an agreement that this would be useful from both security and
usability perspective.
However, as the current text is written, the parameters have to be
sent as URI query component.
In -10, it is written as:
In order to direct the end-user's user-agent to the authorization
server, the client constructs the request URI by adding the following
parameters to the end-user authorization endpoint URI query component
using the "application/x-www-form-urlencoded" format as defined by
[W3C.REC-html401-19991224]:
(parm defs)
The client directs the end-user to the constructed URI using an HTTP
redirection response, or by other means available to it via the end-
user's user-agent. The authorization server MUST support the use of
the HTTP "GET" method for the end-user authorization endpoint, and
MAY support the use of the "POST" method as well.
Instead I would propose something like:
In order to obtain the end-user's authorization, the client sends the
following parameters to the end-user authorization endpoint.
(param defs)
The client directs the end-user to the end-user authorization endpoint
URI using an HTTP redirection response, or by other means available to
it via the end-user's user-agent. The authorization server MUST
support the use of
the HTTP "GET" method for the end-user authorization endpoint, and
MAY support the use of the "POST" method as well. The authorization
server MUST support the parameters being passed as the query component
using the "application/x-www-form-urlencoded" format as defined by
[W3C.REC-html401-19991224].
I also have a comment on the structure of the section 3.
I should have noticed this much earlier but currently the section 3 is
structured as:
3. Obtaining End-User Authorization
3.1. Authorization Response
3.2. Error Response
Would it not be better to be something like below?
3. Obtaining End-User Authorization
3.1. Authorization Request
3.2. Authorization Response
3.3. Error Response
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
