Hello, This might be a stupid question, but why is the redirect happening in OAuth2 spec (+ SAML previously) to the STS login page for cross domain SSO? Our marketing department is against this redirect as it means that users are jumping out of the e-commerce shopping flow. They would prefer a login mechanism in which the login page remains embedded in the e-commerce websites. Having flexible in login options is not necessary for us. We do not expect to move away from username/password anytime soon.
We are thinking about an embedded login page, that does a HTTP POST to the STS (to have the cross domain SSO cookies), but render the login form within the ecommerce website. Was there any good reason why the OAuth2/SAML specs are redirecting to an STS hosted page, except flexibility in login options and the STS as trusted authentication system. We are considering such a custom solution, but at the same we would to be sure that we are not missing some important security aspects that might make our authentication solution vulnerable. Kind regards, Pieter
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
