Ok I think I got it. So I believe authentication would be redirecting the end-user to the authorization server where he needs to authenticate himself. Now, based on Facebook javascript SDK, it seems like steps D-F are implicit. So once step C is done, D, E and F are not needed because a local javascript can extract the acccess_token from the fragment and execute JSONP calls with the access_token to get the protected resource. Is that correct? Am I missing something here or is it valid?
On Mon, Aug 30, 2010 at 8:01 PM, Zeltsan, Zachary (Zachary) < zachary.zelt...@alcatel-lucent.com> wrote: > > I can't really understand how steps D, E and F works. Once I get the > access_token in the fragment, what happens then? > > In step C client receives from authorization server an access token in the > fragment part of the redirection URL, which the client provided to the > authorization server in step A. > > In step D the client follows that URL (without sending the fragment). > > In step E client receives a script embedded in an HTML page (in response to > the request of step D). > > In step F client runs the script locally. The script extracts the access > token from the URL received in step C and passes it to the client. > > > > > How can I avoid from a malicious user check the source of my user-agent > app, get the app-id and repeat the same steps from his own application > somewhere else? > > > > I do not see how it can be done. The client’s authentication to > authorization server is not specified clearly in the draft. > > The specification says: > > “These clients cannot keep client > > secrets confidential and the authentication of the client is based on > > the user-agent's same-origin policy”. > > > > Can anyone explain how client’s authentication works in the User-Agent use > case? > > > > Zachary > > > ------------------------------ > > *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf > Of *Jonathan Leibiusky > *Sent:* Monday, August 30, 2010 9:45 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] Doubts about the User-Agent Profile in OAuth2 > > > > Hi, I read the OAuth2 draft and I still have lots of doubts regard security > when talking about the User-Agent Profile. > I can't really understand how steps D, E and F works. Once I get the > access_token in the fragment, what happens then? > How can I avoid from a malicious user check the source of my user-agent > app, get the app-id and repeat the same steps from his own application > somewhere else? > > Thanks! > > Jonathan >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
