----- Original Message ----
> From: Michael D Adams <m...@automattic.com>
> As Brian mentioned, the client-side component hosted on thirdparty.com
> does get the access token in the User Agent flow. That means the
> client-side script can access multiple protected resources (upload a
> photo, update the user's profile, flag the user as "online", download
> a friends list, whatever) in the same page load.
>
> If I'm interpreting your idea correctly, only one protected resource
> can be accessed per access token since the thirdparty.com app never
> sees the token. For every resource it needs, thirdparty.com has to
> send the user through the authorization server again. Am I mistaken?
in my example, after:
document.params.setAttribute("action", url);
you can add:
document.cookie="access_token=...
Theoretically, it'll create a cookie in the resource server domain (I'm saying
theoretically, becuase didn't test it). Next time when UA goes to the same
resource server, the latter can use the cookie to do authentication. It means
that you don't need to go to authz server again until token is expired.
If this is correct, why would you need to share the secret with thirdparty.com
server? It actually makes the solution more secure, if you don't, becuase
access
token is known to UA only.
In my Ajax example you don't even need a cookie, becuase access_token can be
stored in a JavaScript variable.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
