Hi
On 22/01/13 16:54, Craig McClanahan wrote:
On Tue, Jan 22, 2013 at 3:22 AM, Sergey Beryozkin<[email protected]>wrote:
Hi Craig
Actually, I may've just got it :-), you'd like to have a user, after an
initial redirect, facing a form asking both for the authentication info and
the authorization approval ?
Yep, exactly.
Hmm... I think 1) and 2) above is OK, the only downside is the not too
ideal user experience, where one dialog (authentication) is followed up by
another one (authorization). This is mitigated if SSO is in place.
But I wonder if presenting the authorization request to the user which has
not yet authenticated is actually safe. One limitation is also that the
authorization request page can not be personalized, for ex, if the user has
authenticated then the page may say "Welcome Barry, the following
third-party app would like to ...".
By the way, looks like according to
http://help.salesforce.com/**help/doc/en/remoteaccess_**
oauth_web_server_flow.htm<http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm>
and
http://help.salesforce.com/**help/doc/en/remoteaccess_**
oauth_web_server_flow.htm<http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm>
What's not obvious from these diagrams is that the SalesForce "authorize"
endpoint (https://login.salesforce.com/services/oauth2/authorize) does not
require the user to be logged on yet, so you can do both operations on a
single request. I've suppose we'd want to recognize the user if they have
been logged in,
Yes, sure - this can be done with SSO support, the existing providers
(we have a demo for it) or OpenId-Connect ones going forward
but allow them to log in and authorize if not.
Yes, the only limitation in CXF at the moment is that it does it with a
sequence of forms, whereas you'd like to have a single form asking for
both authentication credentials and the authorization approval/denial in
the same/single view - obviously a presentation builder would need to
know somehow of the authentication scheme supported by AS.
I need to think a bit more about it.
Thanks, Sergey
Craig
