On Tue, Apr 20, 2010 at 10:29 PM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote:
> Am 21.04.2010 02:45, schrieb Evan Gilbert: > > > > On Tue, Apr 20, 2010 at 12:57 PM, Torsten Lodderstedt < > tors...@lodderstedt.net> wrote: > >> Hi all, >> >> I would like to propose an additional variant of the Web Server Flow w/o >> the need for direct communication between client and authorization server in >> order to obtain authorized access/refresh tokens. Instead access and refresh >> tokens should directly be send back with the redirect to the client as it is >> the case in the User-Agent Flow. >> > > Question (and sorry if I'm being dense) - what is the delta between Web > Server flow + verification_code=false and User-Agent flow? > > > This is not a dense question :-) > > The User Agent Flow adds the data as URL fragment which is not passed to > the web server (as far as I understand). My proposal adds this data as URL > query parameters, which are passed to the web server by the user agent. > At one point we had tokens in query string for the User-Agent flow, but there were concerns about the security side. Query parameters are much more likely to leak in logs and in referrers. It's not a lot of work to support this functionality with the existing User-Agent flow using a boilerplate response page. Page would: 1. Grab fragment 2. Make XMLHttpRequest with access token & refresh token to server, or POST a form 3. Redirect to destination page. Would this work? > I think the delta is small in terms of specification but the benefit for > large-scale OAuth 2.0 deployments would be significant. > > regards, > Torsten. >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
