Dear SuJing: If it is the only reason, why we send the authorization code to the client directly and send another notification without the authorization code to the RO. This way can mitigate the chance that the authorization code is exposed to the RO's user-agent, hence protecting the authorization code from leaking to possible attackers in a higher security levle.
Best Regards Brent 2013/1/9 <[email protected]>: > > Then why not let auth code be sent directly from AS to Client? > > Just want to inform RO that an auth code has been dilivered to Client? > > [email protected] 写于 2013-01-09 14:27:50: > >> Hi Brent, >> >> Few points, why this doesn't create any security implications.. >> >> 1. Authorization server maintains a binding to the Client, who the >> token was issued to. To exchange this to an Access token client >> should authenticate him self. >> 2. Code can only be exchanged once for an acces token. >> >> Thanks & regards, >> -Prabath > >> On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc <[email protected] >> > wrote: >> Dear All: >> >> I have a question in the section 1.3.1. Authorization Code in rfc6749 >> The OAuth 2.0 Authorization Framework. >> >> It tells "which in turn directs the resource owner back to the client >> with the authorization code." >> >> Who can let me know the reason why is the authorization code sent to >> client through a redirection in resource owner's agent? Any security >> implications? >> >> Is it possible to let the authorization server send the authorization >> code to the client directly (not through resource owner's user-agent)? >> >> Best Regards >> Brent >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > >> > >> >> -- >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com_______________________________________________ > >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
