Hi On Mon, Jun 21, 2010 at 11:20 PM, Łukasz Moreń <lukasz.mo...@gmail.com>wrote:
> Hi, > > I'm going to implement the second OAuth endpoint called: Resource Owner > Authorization. > I will explain briefly this endpoint to make my question more clear. > > Client (third-party app) make request to mentioned endpoint in order to > obtain approval for accessing user (resource owner) resources. > example request uri: > > https://www.server-with-cool-pictures.com/authorize?oauth_token=hh5s93j4hdidpola > > As the response authorization server: > 1. requests user (resource owner) to sign in using his username and > password, > 2. if successful ask user to approve granting client (third-party app) > access to protected resources. > 3. redirect resource owner to client's callback url with unique > verification > code (or display it in case callback url is not provided) > > I am not sure how should this endpoint implementation looks like. It > requires UI to authenticate user and confirm third-party app access, so > some > generic solution is needed. > When client make request on Resource Owner Authorization URI with > oauth_token I can validate that request and redirect to UI login page. > I don't know how after user actions (login and client confirmation), go > back > to my service and redirect to the client (third-party app) callback url > with > generated validation code. > > The client starts from redirecting the end user to the Resource Owner Authorization (ROA) URI . So the endpoint is dealing with ROA URI is having an end user's agent (browser, the client code) awaiting. Now as you said the end user will need to be presented with a consumer/request token authorization form. This form will need to have a URI pointing back to the server, to yet another endpoint, the ROA Confirmation URI so that when the end user presses OK in his browser the server can get the confirmation. Once the server gets the confirmation it will just need to redirect the end user back to the consumer, using the callback URI the consumer provided earlier on, I've been using 303 in my own work but I was looking at the OAuth 2.0 recently and they use 302. You can set this status on the JAXRS Response, and Location header to the callback URI. Hope it helps, Sergey > Any help on that? > > Cheers, > Lukasz Moren >
