In my opinion that is correct. Once you have a script for extracting an access token locally, you do not need to download it again. I do not know how that is implemented by Facebook.
________________________________ From: Jonathan Leibiusky [mailto:ionat...@gmail.com] Sent: Monday, August 30, 2010 10:11 PM To: Zeltsan, Zachary (Zachary) Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Doubts about the User-Agent Profile in OAuth2 Ok I think I got it. So I believe authentication would be redirecting the end-user to the authorization server where he needs to authenticate himself. Now, based on Facebook javascript SDK, it seems like steps D-F are implicit. So once step C is done, D, E and F are not needed because a local javascript can extract the acccess_token from the fragment and execute JSONP calls with the access_token to get the protected resource. Is that correct? Am I missing something here or is it valid? On Mon, Aug 30, 2010 at 8:01 PM, Zeltsan, Zachary (Zachary) <zachary.zelt...@alcatel-lucent.com<mailto:zachary.zelt...@alcatel-lucent.com>> wrote: > I can't really understand how steps D, E and F works. Once I get the > access_token in the fragment, what happens then? In step C client receives from authorization server an access token in the fragment part of the redirection URL, which the client provided to the authorization server in step A. In step D the client follows that URL (without sending the fragment). In step E client receives a script embedded in an HTML page (in response to the request of step D). In step F client runs the script locally. The script extracts the access token from the URL received in step C and passes it to the client. > How can I avoid from a malicious user check the source of my user-agent app, > get the app-id and repeat the same steps from his own application somewhere > else? I do not see how it can be done. The client's authentication to authorization server is not specified clearly in the draft. The specification says: "These clients cannot keep client secrets confidential and the authentication of the client is based on the user-agent's same-origin policy". Can anyone explain how client's authentication works in the User-Agent use case? Zachary ________________________________ From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org> [mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of Jonathan Leibiusky Sent: Monday, August 30, 2010 9:45 AM To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: [OAUTH-WG] Doubts about the User-Agent Profile in OAuth2 Hi, I read the OAuth2 draft and I still have lots of doubts regard security when talking about the User-Agent Profile. I can't really understand how steps D, E and F works. Once I get the access_token in the fragment, what happens then? How can I avoid from a malicious user check the source of my user-agent app, get the app-id and repeat the same steps from his own application somewhere else? Thanks! Jonathan
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
