Here are the possible URLs: http://static.facebook.com/connect/xd_proxy.php#code=10alkji&access_token=lzipa3p http://static.facebook.com/connect/xd_proxy.php?code=10alkji#access_token=lzipa3p
Those who already use this flow in production (including Google, Facebook, Twitter, and others) typically work like this: - Parent frame initiates the transaction by spawning a popup or an iframe - Response comes back to a static relay file (like the xd_proxy.php above) - The relay interprets the URL, parses out arguments, and hands them to the parent frame - Parent frame then does what it wants. this could be making an API call via JSONP, handing info to the server via Ajax, or something else. Because the relay file is static, it isn't going to interpret the code regardless, even if it is sent in the query parameter. So since the client will handle it anyway, the fragment is better for two reasons: 1/ Less code for the JS to just pull it out of the fragment 2/ More efficient, as the relay file can be cached on the client. If you include a code then you degrade performance because it busts the cache every time. On Aug 10, 2010, at 9:35 AM, Oleg Gryb wrote: I was trying to understand that too (see "Is user agent profile secure" thread). The answers that I've got were: 1. It's already coded this way. 2. It's the most efficient way of doing that, because that relay.html page is static and can be cached by a browser. None of the answers above looks very convincing to me, but that's where UA is now. From: Torsten Lodderstedt <[email protected]<mailto:[email protected]>> Can someone pls. explain why code and token should both be returned in the fragment? regards, Torsten. _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
