Dear Prabath:
Thank you very much for your responses :-) However, I am still not quite sure why the authorization code must be sent to the client through the RO's user-agent? Best Regards Brent On Wed, 9 Jan 2013 11:57:50 +0530, Prabath Siriwardena wrote: > Hi Brent, > > Few points, why this doesn't create any security implications.. > > 1. Authorization server maintains a binding to the Client, who the token was issued to. To exchange this to an Access token client should authenticate him self. > 2. Code can only be exchanged once for an acces token. > > Thanks & regards, > -Prabath > > On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc wrote: > >> Dear All: >> >> I have a question in the section 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework. >> >> It tells "which in turn directs the resource owner back to the client with the authorization code." >> >> Who can let me know the reason why is the authorization code sent to client through a redirection in resource owner's agent? Any security implications? >> >> Is it possible to let the authorization server send the authorization code to the client directly (not through resource owner's user-agent)? >> >> Best Regards >> >> Brent >> _______________________________________________ >> OAuth mailing list >> [email protected] [1] >> https://www.ietf.org/mailman/listinfo/oauth [2] > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com [4] > http://RampartFAQ.com [5] Links: ------ [1] mailto:[email protected] [2] https://www.ietf.org/mailman/listinfo/oauth [3] mailto:[email protected] [4] http://blog.facilelogin.com [5] http://RampartFAQ.com
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
