Inline On Sep 4, 2014, at 11:30 AM, Frizz <frizzthe...@googlemail.com> wrote:
> Hello there, > > I have a question regarding Authentication: > > The following two scenarios, are they typical use cases for OAuth? Or > OpenId-Connect? Or something completely different? > > Flow (A) would be like this: > (1) Client calls Business Logic Server > (2) Server detects there’s no Access Token in HTTP headers > (3) Server redirects to *some* Authentication Server > (4) Authentication Server challenges Client for Username/Password > (5) Client (now with valid Access Token) is redirected to Business Logic > Server and completes operation In 3 the RS returns an error that includes the required scopes. http://tools.ietf.org/html/rfc6750#section-3 The location of the AS is not included by default. The UMA spec uses that but OAuth 2 doesn't typically. The majority of deployed OAuth clients are hard coded to a AS or in the openID Connect case discovery is used to determine the AS. Typically the client would not start at the resource. In 4 the AS is challenging the user for username/password via a web form in in the code and implicit flows. In 5 the users browser is redirected back to the client with a token or code. In 6 the client access the resource. > > Flow (B) would look like this: > (1) Client directly calls Authentication Server (kinda explicit Login call) > with Username/Password and gets an Access Token in return > (2) Client uses this Access Token for all calls to the Business Logic Server > This is the Resource owner password credentials grant or client credentials flow. http://tools.ietf.org/html/rfc6749#section-4.3 Regards John B. > cheers, > Frizz > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
