Hi Craig
On 21/01/13 18:22, Craig McClanahan wrote:
I'm using CXF 2.7.2 and building out a server that will support the various
flows, in particular the Authorization Code Grant flow[1]. I'm a bit
puzzled, though, about the way that
RedirectionBasedGrantService#startAuthorization() expects the end user to
have already authenticated to the authorization server. This seems
different from the way I've seen OAuth 2 implemented at places like
salesforce.com, where the /authorize endpoint allows the user to *both*
authenticate themselves (username and password) *and* authorize the
particular client.
Was this design intentional? If so, is there a recommended technique to
implement this flow that *does* allow a combination of authentication and
authorization in a single redirect flow?
I think that from the end user's point of view, this is exactly what is
happening, the end user gets redirected to the "/authorize" endpoint which
1) challenges the end user to authenticate (if no active session
exists), example, via a browser-based authentication mechanism, this is
enforced by the regular application authentication mechanism
2) authorization server immediately returns an authorization form if the
user is authenticated
Actually, I may've just got it :-), you'd like to have a user, after an
initial redirect, facing a form asking both for the authentication info
and the authorization approval ?
Hmm... I think 1) and 2) above is OK, the only downside is the not too
ideal user experience, where one dialog (authentication) is followed up
by another one (authorization). This is mitigated if SSO is in place.
But I wonder if presenting the authorization request to the user which
has not yet authenticated is actually safe. One limitation is also that
the authorization request page can not be personalized, for ex, if the
user has authenticated then the page may say "Welcome Barry, the
following third-party app would like to ...".
By the way, looks like according to
http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm
and
http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm
they do it the same way as it supported in CXF ?
Thanks, Sergey
Craig McClanahan
[1] http://tools.ietf.org/html/rfc6749#section-4.1
