The idea is to form a bridge between a user, their user-agent, and the client application while at the same time keeping the security credential and the client app cred separate.
The redirect with code flow enables the separate contexts to be bound together. As soon as you do this in one step, then the client app needs to be able to handle the users credentials (eg uid/pwd) directly. Remember that one of the original reasons for the auth flow was to eliminate the password anti-pattern. Phil Sent from my phone. On 2013-01-08, at 22:52, cspzhouroc <[email protected]> wrote: > Dear Prabath: > > > > But is it possible to include the the mapping between the user request and > the code in the message that the AS sends to the client directly? > > > > Best Regards > > Brent > > > > On Wed, 9 Jan 2013 12:17:19 +0530, Prabath Siriwardena wrote: > >> >> >> On Wed, Jan 9, 2013 at 12:09 PM, Peng Zhou <[email protected]> wrote: >>> Dear Prabath: >>> >>> Thank you very much for your responses :-) >>> >>> However, I am still not quite sure why the authorization code must be >>> sent to the client through the RO's user-agent? >> One reason I see is, bringing the authorization code via User Agent - links >> the user request to the authorization code. If AS directly sends the code to >> the Resource Server the mapping between the user request and the code is >> broken. >> Thanks & regards, >> -Prabath >> >>> >>> Best Regards >>> Brent >>> >>> 2013/1/9 Prabath Siriwardena <[email protected]>: >>> > Prabath >> >> >> >> -- >> Thanks & Regards, >> Prabath >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
