Hi Brent, Few points, why this doesn't create any security implications..
1. Authorization server maintains a binding to the Client, who the token was issued to. To exchange this to an Access token client should authenticate him self. 2. Code can only be exchanged once for an acces token. Thanks & regards, -Prabath On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc <[email protected]>wrote: > ** > > Dear All: > > I have a question in the section 1.3.1. Authorization Code in rfc6749 The > OAuth 2.0 Authorization Framework. > > It tells "which in turn directs the resource owner back to the client with > the authorization code." > > Who can let me know the reason why is the authorization code sent to client > through a redirection in resource owner's agent? Any security > implications? > > Is it possible to let the authorization server send the authorization code > to the client directly (not through resource owner's user-agent)? > > Best Regards > Brent > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
