On Tue, Jan 22, 2013 at 3:22 AM, Sergey Beryozkin <[email protected]>wrote:
> Hi Craig > > Actually, I may've just got it :-), you'd like to have a user, after an > initial redirect, facing a form asking both for the authentication info and > the authorization approval ? > > Yep, exactly. > Hmm... I think 1) and 2) above is OK, the only downside is the not too > ideal user experience, where one dialog (authentication) is followed up by > another one (authorization). This is mitigated if SSO is in place. > > But I wonder if presenting the authorization request to the user which has > not yet authenticated is actually safe. One limitation is also that the > authorization request page can not be personalized, for ex, if the user has > authenticated then the page may say "Welcome Barry, the following > third-party app would like to ...". > > By the way, looks like according to > > http://help.salesforce.com/**help/doc/en/remoteaccess_** > oauth_web_server_flow.htm<http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm> > and > http://help.salesforce.com/**help/doc/en/remoteaccess_** > oauth_web_server_flow.htm<http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm> > > What's not obvious from these diagrams is that the SalesForce "authorize" endpoint (https://login.salesforce.com/services/oauth2/authorize) does not require the user to be logged on yet, so you can do both operations on a single request. I've suppose we'd want to recognize the user if they have been logged in, but allow them to log in and authorize if not. Craig
