I've got a spec written for this that I've been quite lax in finishing. I'll clean it up a bit tonight/tomorrow and send out a draft link for review.
---- -- Justin Hart -- [email protected] On Jan 18, 2011, at 4:20 PM, Igor Faynberg wrote: > Interesting! I definitely see value in this, and... this appears to > me to be a new use case. > > Gabriel Klein wrote: >> Dear oAuth2 team, >> >> I'm currently working on the way we will implement oAuth2 in our >> company. (Poken.com) >> >> I've an interesting flow to work on: >> We delegate the account creation and account authentication mechanism to >> an external oAuth2 provider. >> >> What it means: >> We have a mobile application, you can choose the way you want to login. >> - User and Password >> - Facebook (Microsoft, Google, Twitter, and other oAuth2 provider later) >> Based on the facebook access_token or code, we return a poken >> access_token. >> >> We have a similar flow in our web application (is on top of our API). >> >>> From a technical point: >> When we login using Facebook, we get the "code" or access_token (linked >> to our client_id access on Facebook). This part is the responsibility of >> the UI/mobile application. Facebook client_secret is not shared with >> Facebook. >> >> The mobile application then call our API. (Not implemented yet) >> https://api.poken.com/oauth2/authorize? >> grant_type=poken_extenal_oauth2& >> service=facebook.com& >> service_secret={facebook_access_token or code}& >> client_id={appid-phphub}&client_secret={apppass-phphub}& >> response_type = token >> >> In our API we exchange the facebook code for a facebook access_token and >> get the facebook_account_id of the user on Facebook. >> >> If this facebook_account_id is linked to a poken account on our system, >> we return a poken access_token for this account. With this access_token, >> the client can use our API. >> >> I call this flow "oAuth2 Chain Flow" >> >> I think it's a quite interesting flow, because it's more and more >> frequent to delegate the authentication to another website/service. >> (Even more when you are not part of the biggest sites.) >> >> What do you think of this aspect of authentication? >> Did you already spoke about this flow? >> Do we have some specifications for this flow? >> >> Best regards, >> Gabriel Klein (poken.com) >> >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
