Sending to the right place. EHL
From: DIEGO GONZALEZ MARTINEZ [mailto:[email protected]] Sent: Friday, October 07, 2011 1:35 AM To: [email protected] Subject: draft-ietf-oauth-v2: Doubt about chapter 4.2 Hello, My name is Diego González, I work in Telefónica R&D and I'm following OAuth 2.0 works as we're using OAuth in Telefónica's APIs exposure programs (e.g.: BlueVia). I as well participate in OMA activities for using OAuth to access OMA standard APIs. I'm Reading through OAuth 2.0 draft and I have a doubt. In chapter 4.2.1 for Implicit Grant I can see the following example: GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com Then in chapter 4.2.2 I see the following example: HTTP/1.1 302 Found Location: http://example.com/rd#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600 The first I thought is that this is just a misalignment within examples and second example should look like https://client.example.com/cb. Is it? But then I got the following doubt. Would it make sense for every Client to be redirected to a known web hosted by the resource provider? I mean a set of clients trying to gain access to a Resource, and being always redirected to the same web-hosted resource offered by resource provider, not to the web-client hosted resource. E.g.: redirect every client using Implicit Grant to https://server.com/accessTokenScriptisHereforEveryOne, no matter what the redirect_uri was. Do you think this make sense? Or there are some security problems I am not taking into account. Kind regards, Diego Diego González Martínez Telefónica Investigación y Desarrollo Iniciativa NeoSDP e-mail: [email protected]<mailto:[email protected]> Phone: +34 983 36 75 97 ________________________________ Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo. This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at. http://www.tid.es/ES/PAGINAS/disclaimer.aspx
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
