> I can't really understand how steps D, E and F works. Once I get the > access_token in the fragment, what happens then? In step C client receives from authorization server an access token in the fragment part of the redirection URL, which the client provided to the authorization server in step A. In step D the client follows that URL (without sending the fragment). In step E client receives a script embedded in an HTML page (in response to the request of step D). In step F client runs the script locally. The script extracts the access token from the URL received in step C and passes it to the client.
> How can I avoid from a malicious user check the source of my user-agent app, > get the app-id and repeat the same steps from his own application somewhere > else? I do not see how it can be done. The client's authentication to authorization server is not specified clearly in the draft. The specification says: "These clients cannot keep client secrets confidential and the authentication of the client is based on the user-agent's same-origin policy". Can anyone explain how client's authentication works in the User-Agent use case? Zachary ________________________________ From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Jonathan Leibiusky Sent: Monday, August 30, 2010 9:45 AM To: oauth@ietf.org Subject: [OAUTH-WG] Doubts about the User-Agent Profile in OAuth2 Hi, I read the OAuth2 draft and I still have lots of doubts regard security when talking about the User-Agent Profile. I can't really understand how steps D, E and F works. Once I get the access_token in the fragment, what happens then? How can I avoid from a malicious user check the source of my user-agent app, get the app-id and repeat the same steps from his own application somewhere else? Thanks! Jonathan
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
