OK.
Thanks for the explanations so far. It's very helpful.
I'm prototyping the framework support for OAuth 2.0 and at this stage
I'm trying to figure out what exactly the runtime itself can do and what
has to be delegated to the custom code and thus how to design the api
the runtime and the custom code will use to communicate with each other.
Makes sense. It's often hard to figure out exactly where to draw the
lines of abstraction for fundamental libraries like this.
Let me ask one more question, sorry if it's a silly one :-)
So suppose a given client has been pre-authorized by the end user.
Next, the client can get the pre-authorized token via the authorization
code flow or the implicit code flow (ignoring the client_credentials one
for the moment).
Does it make sense to restrict which flow a given pre-authorized token
can 'work' with ? Example, enforce that the pre-authorized token can
only be issued to the clients initiating an authorization code flow but
not to those trying an implicit one, or vice versa ?
The reason I ask is that I'm thinking that the entity representing an
access token should have a property indicating which grant type was used
for this token being created in the first place. So if such a token
were to represent the user pre-authorizing the client
and then eventually given to a client via the authorization code or
implicit code flow, then this token would actually need to
be cloned each time for a specific grant type property be set, and
this does not look optimal...
Several implementations that I've seen do restrict the flows that a
given client is allowed to do. Any time you have a privileged client,
such as one that's been auto-approved, it makes even more sense to lock
it down in other avenues. You don't have to encode it into the token or
code, but of course if you have a structured token format you may do
that. Note that with the code flow, you probably don't actually generate
the token until the client shows up with a valid code and client
id/secret, but that's really a runtime optimization that's going to be
specific for your setup.
All you really need is a flag at your AS that ties the given client id
to a set of allowable grant types. When the client shows up at the AS
endpoints, you look up this flag based on the client ID and verify that
the flow you're doing matches up with what's allowed by configuration.
-- Justin
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
