That sounds reasonable to me. Makes sense that we'd want to make sure the spec doesn't preclude artifact binding, while still keeping it clear for the main use case (which is just putting parameters in the URL).
On Jul 12, 2010, at 7:51 PM, Nat Sakimura wrote: > As of -10, the Authorization Request Parameters are required to be > passed as part of the Authorization Request URI query component. > > I would like to see it relaxed a bit so that they do not have to be a > part of the URL but can be passed by reference. > > In the proposal that I have submit a while ago, I proposed to have > > 1) The parameters to be captured in JSON that can be obtained through a URL > 2) Pass this URL to the end-user authorization endpoint through a > parameter 'request_url' > > I have enumerated numerous merit of this approach and I believe we had > an agreement that this would be useful from both security and > usability perspective. > > However, as the current text is written, the parameters have to be > sent as URI query component. > > In -10, it is written as: > > In order to direct the end-user's user-agent to the authorization > server, the client constructs the request URI by adding the following > parameters to the end-user authorization endpoint URI query component > using the "application/x-www-form-urlencoded" format as defined by > [W3C.REC-html401-19991224]: > > (parm defs) > > The client directs the end-user to the constructed URI using an HTTP > redirection response, or by other means available to it via the end- > user's user-agent. The authorization server MUST support the use of > the HTTP "GET" method for the end-user authorization endpoint, and > MAY support the use of the "POST" method as well. > > Instead I would propose something like: > > In order to obtain the end-user's authorization, the client sends the > following parameters to the end-user authorization endpoint. > > (param defs) > > The client directs the end-user to the end-user authorization endpoint > URI using an HTTP redirection response, or by other means available to > it via the end-user's user-agent. The authorization server MUST > support the use of > the HTTP "GET" method for the end-user authorization endpoint, and > MAY support the use of the "POST" method as well. The authorization > server MUST support the parameters being passed as the query component > using the "application/x-www-form-urlencoded" format as defined by > [W3C.REC-html401-19991224]. > > > I also have a comment on the structure of the section 3. > I should have noticed this much earlier but currently the section 3 is > structured as: > > 3. Obtaining End-User Authorization > 3.1. Authorization Response > 3.2. Error Response > > Would it not be better to be something like below? > > 3. Obtaining End-User Authorization > 3.1. Authorization Request > 3.2. Authorization Response > 3.3. Error Response > > -- > Nat Sakimura (=nat) > http://www.sakimura.org/en/ > http://twitter.com/_nat_en > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
