Hi all, I'm exploring the idea of an OAuth server comprising two separate components:
* Static *frontend* web app that handles all UI functionality * Headless *backend* that never returns HTML These two components would communicate via some well-defined internal protocol. For example, the frontend would be responsible for hosting the "/authorize" endpoint, which it might accomplish by steps like: 1. ask the user to sign in, perhaps via an internal Resource Owner Password Credentials Flow to the backend 2. call a special "/code" endpoint on the backend, which generates an authorization code for the client that's attempting to authorize 3. return this code to the client via in-browser redirect And the backend would host the "/token" endpoint, responding directly to an authorized client. All this could happen without cookies, and without tight coupling between the two components. Does something like this exist? Are there obvious security show-stoppers? Is anyone aware an effort to standardize what the "well-defined protocol" between these components would look like? Thanks for your help! -Josh
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
