Hi David, Good to see you on Saturday.
This is what I was referring to over the lunch. Separate endpoint still does not seem to meet the current section 3. =nat ---------- Forwarded message ---------- From: Nat Sakimura <sakim...@gmail.com> Date: Tue, Jul 13, 2010 at 11:51 AM Subject: Alternative ways to pass Authorization Request Parameters To: oauth <oauth@ietf.org> As of -10, the Authorization Request Parameters are required to be passed as part of the Authorization Request URI query component. I would like to see it relaxed a bit so that they do not have to be a part of the URL but can be passed by reference. In the proposal that I have submit a while ago, I proposed to have 1) The parameters to be captured in JSON that can be obtained through a URL 2) Pass this URL to the end-user authorization endpoint through a parameter 'request_url' I have enumerated numerous merit of this approach and I believe we had an agreement that this would be useful from both security and usability perspective. However, as the current text is written, the parameters have to be sent as URI query component. In -10, it is written as: In order to direct the end-user's user-agent to the authorization server, the client constructs the request URI by adding the following parameters to the end-user authorization endpoint URI query component using the "application/x-www-form-urlencoded" format as defined by [W3C.REC-html401-19991224]: (parm defs) The client directs the end-user to the constructed URI using an HTTP redirection response, or by other means available to it via the end- user's user-agent. The authorization server MUST support the use of the HTTP "GET" method for the end-user authorization endpoint, and MAY support the use of the "POST" method as well. Instead I would propose something like: In order to obtain the end-user's authorization, the client sends the following parameters to the end-user authorization endpoint. (param defs) The client directs the end-user to the end-user authorization endpoint URI using an HTTP redirection response, or by other means available to it via the end-user's user-agent. The authorization server MUST support the use of the HTTP "GET" method for the end-user authorization endpoint, and MAY support the use of the "POST" method as well. The authorization server MUST support the parameters being passed as the query component using the "application/x-www-form-urlencoded" format as defined by [W3C.REC-html401-19991224]. I also have a comment on the structure of the section 3. I should have noticed this much earlier but currently the section 3 is structured as: 3. Obtaining End-User Authorization 3.1. Authorization Response 3.2. Error Response Would it not be better to be something like below? 3. Obtaining End-User Authorization 3.1. Authorization Request 3.2. Authorization Response 3.3. Error Response -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
