Hi, Just wanted to drop short info my GSoC progress. I am following yours hints and implementing next OAuth endpoints according to spec. I have started also doing demo CXF OAuth server implementation (I deploy it on gae) that helps me in testing and show how to use oauth module. I hope to commit changes next week.
Cheers, Lukasz 2010/6/22 Sergey Beryozkin <sberyoz...@gmail.com> > Hi > > On Mon, Jun 21, 2010 at 11:20 PM, Łukasz Moreń <lukasz.mo...@gmail.com > >wrote: > > > Hi, > > > > I'm going to implement the second OAuth endpoint called: Resource Owner > > Authorization. > > I will explain briefly this endpoint to make my question more clear. > > > > Client (third-party app) make request to mentioned endpoint in order to > > obtain approval for accessing user (resource owner) resources. > > example request uri: > > > > > https://www.server-with-cool-pictures.com/authorize?oauth_token=hh5s93j4hdidpola > > > > As the response authorization server: > > 1. requests user (resource owner) to sign in using his username and > > password, > > 2. if successful ask user to approve granting client (third-party app) > > access to protected resources. > > 3. redirect resource owner to client's callback url with unique > > verification > > code (or display it in case callback url is not provided) > > > > I am not sure how should this endpoint implementation looks like. It > > requires UI to authenticate user and confirm third-party app access, so > > some > > generic solution is needed. > > When client make request on Resource Owner Authorization URI with > > oauth_token I can validate that request and redirect to UI login page. > > I don't know how after user actions (login and client confirmation), go > > back > > to my service and redirect to the client (third-party app) callback url > > with > > generated validation code. > > > > > The client starts from redirecting the end user to the Resource Owner > Authorization (ROA) URI . So the endpoint is dealing with ROA URI is having > an end user's agent (browser, the client code) awaiting. Now as you said > the > end user will need to be presented with a consumer/request token > authorization form. > > This form will need to have a URI pointing back to the server, to yet > another endpoint, the ROA Confirmation URI so that when the end user > presses > OK in his browser the server can get the confirmation. Once the server gets > the confirmation it will just need to redirect the end user back to the > consumer, using the callback URI the consumer provided earlier on, I've > been > using 303 in my own work but I was looking at the OAuth 2.0 recently and > they use 302. You can set this status on the JAXRS Response, and Location > header to the callback URI. > > Hope it helps, Sergey > > > > > > Any help on that? > > > > Cheers, > > Lukasz Moren > > >
