Not exactly authorization code in authorization code flow. But something like it, say a signature on a delegation statement by user, user send it to the client, client exchange the signature for an access token. The AS can verify the signature's validity. The rationale in my question is that: the resource is of the resource owner, so it is the right and it is natural to let resource owner authorize the access to its resource, the role of AS in current Oauth's authorization code flow is just an authentication provider and should not decide the authorization.
Guangqing Deng <[email protected]> 2012-09-03 17:33 收件人 [email protected] 抄送 [email protected] 主题 Re: [OAUTH-WG] a question about authorization besides, the user has no authorization code; the authorization server does have. 2012/9/3 Guangqing Deng <[email protected]> Why let the user send an authorization code to the client? Let client request an access token from authentication server using that authorization code? If so, authentication server can’t determine whether the authorization code is valid or not and will not issue an access token. 2012/9/3 <[email protected]> Hi,all I have always been unclear of one thing, why must let authorization server generate and issue authorization code to a client? Could not just let the user authorize the client directly by sending the client something like authorization code? Regards~~~ -Sujing Zhou _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth -- Guangqing Deng -- Guangqing Deng
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
