Yes Phil
Sent from my phone. On 2013-01-09, at 0:09, cspzhouroc <[email protected]> wrote: > > > Do you mean, in the stage that AS notify the authorization code to the client > through the RO, the AS has not authenticated the client yet. Therefore, the > AS cannot send the authorization code to the client directly. Instead, the AS > will authenticate the client when the client send the authorization code to > AS for exchanging an access token? > > > > On Tue, 8 Jan 2013 23:31:22 -0800, Phil Hunt wrote: > >> The AS is independently authenticating the user and the client in separate >> steps. >> >> Thus it is the AS binding that relation between user and client together >> ultimately in a scoped access token through a 3-leg process. >> >> Phil >> Sent from my phone. >> >> On 2013-01-08, at 23:18, cspzhouroc <[email protected]> wrote: >> >>> >>> >>> Do you mean the bounding information must be presented by the RO? The >>> client cannot trust the RO-client bounding information that is received >>> from AS? >>> >>> >>> >>> On Tue, 8 Jan 2013 23:00:03 -0800, Phil Hunt wrote: >>> >>> The idea is to form a bridge between a user, their user-agent, and the >>> client application while at the same time keeping the security credential >>> and the client app cred separate. >>> The redirect with code flow enables the separate contexts to be bound >>> together. >>> As soon as you do this in one step, then the client app needs to be able to >>> handle the users credentials (eg uid/pwd) directly. Remember that one of >>> the original reasons for the auth flow was to eliminate the password >>> anti-pattern. >>> >>> Phil >>> Sent from my phone. >>> >>> On 2013-01-08, at 22:52, cspzhouroc <[email protected]> wrote: >>> >>> Dear Prabath: >>> >>> >>> >>> But is it possible to include the the mapping between the user request and >>> the code in the message that the AS sends to the client directly? >>> >>> >>> >>> Best Regards >>> >>> Brent >>> >>> >>> >>> On Wed, 9 Jan 2013 12:17:19 +0530, Prabath Siriwardena wrote: >>> >>> >>> >>> On Wed, Jan 9, 2013 at 12:09 PM, Peng Zhou <[email protected]> wrote: >>>> Dear Prabath: >>>> >>>> Thank you very much for your responses :-) >>>> >>>> However, I am still not quite sure why the authorization code must be >>>> sent to the client through the RO's user-agent? >>> One reason I see is, bringing the authorization code via User Agent - links >>> the user request to the authorization code. If AS directly sends the code >>> to the Resource Server the mapping between the user request and the code is >>> broken. >>> Thanks & regards, >>> -Prabath >>> >>>> >>>> Best Regards >>>> Brent >>>> >>>> 2013/1/9 Prabath Siriwardena <[email protected]>: >>>> > Prabath >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
