Then why not let auth code be sent directly from AS to Client? Just want to inform RO that an auth code has been dilivered to Client?
[email protected] 写于 2013-01-09 14:27:50: > Hi Brent, > > Few points, why this doesn't create any security implications.. > > 1. Authorization server maintains a binding to the Client, who the > token was issued to. To exchange this to an Access token client > should authenticate him self. > 2. Code can only be exchanged once for an acces token. > > Thanks & regards, > -Prabath > On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc <[email protected] > > wrote: > Dear All: > > I have a question in the section 1.3.1. Authorization Code in rfc6749 > The OAuth 2.0 Authorization Framework. > > It tells "which in turn directs the resource owner back to the client > with the authorization code." > > Who can let me know the reason why is the authorization code sent to > client through a redirection in resource owner's agent? Any security > implications? > > Is it possible to let the authorization server send the authorization > code to the client directly (not through resource owner's user-agent)? > > Best Regards > Brent > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com_______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
