Yes, but you'll need a web server client for that. I'm saying that UA profile
can be POST based too.
If you want, I can write an example of both client and server side code to
explain what I mean.
-Original Message-
From: David Recordon [mailto:record...@gmail.com]
Sent: Tuesday, Augus
Hey Oleg, a server based "safer" version of the user agent flow is the
web server flow. It doesn't pass the access token via the fragment or
via any means without SSL.
On Tue, Aug 10, 2010 at 11:00 AM, Oleg Gryb wrote:
> Luke,
>
> Thanks for answering. Sorry, for been paranoid, but I think that
Strongly agree.
Igor
Eran Hammer-Lahav wrote:
The single assertion use case is well defined. If you need to support multiple
assertions in a single request, you will need to define a way to group them
together and include them using the single assertion parameter or define an
extension for a
+1
(1) is crystal-clear and is a must, as far as I am concerned. (2) would
definitely help as a catch-all for unauthorized requests.
Igor
Torsten Lodderstedt wrote:
Would it make sense to support two scenarios? (1) Discovery as described in my original
posting independent of "functional" re
Folks-- The UMA group has produced the following I-D as input to the OAuth
discovery/registration/binding discussion. We wanted to set forth our
requirements (knowing that there may be other requirements from the wider
community) and propose some solutions that meet them. If further discussion
Luke,
Thanks for answering. Sorry, for been paranoid, but I think that you'll have
more qs in regards of your frame-based-cross-domain-secret-sharing solution.
The thing is that each time when a web app with sensitive info can be run in a
frame, security people would advice to break that frame-
Thank you for the explanation.
I now understand that the fragment is used for efficiently passing token or
code on the client side. What I still don't understand is why a client would
need both at once (url 1)? Have you such applications in production?
regards,
Torsten.
Am 10.08.2010 um 19:
Thank you for the explanation. I no
Am 10.08.2010 um 19:23 schrieb Luke Shepard :
> Here are the possible URLs:
>
> http://static.facebook.com/connect/xd_proxy.php#code=10alkji&access_token=lzipa3p
> http://static.facebook.com/connect/xd_proxy.php?code=10alkji#access_token=lzipa3p
>
> Those w
Here are the possible URLs:
http://static.facebook.com/connect/xd_proxy.php#code=10alkji&access_token=lzipa3p
http://static.facebook.com/connect/xd_proxy.php?code=10alkji#access_token=lzipa3p
Those who already use this flow in production (including Google, Facebook,
Twitter, and others) typicall
I was trying to understand that too (see "Is user agent profile secure"
thread).
The answers that I've got were:
1. It's already coded this way.
2. It's the most efficient way of doing that, because that relay.html page is
static and can be cached by a browser.
None of the answers above looks
WFM.
> -Original Message-
> From: Brian Campbell [mailto:bcampb...@pingidentity.com]
> Sent: Tuesday, August 10, 2010 9:03 AM
> To: Eran Hammer-Lahav
> Cc: oauth
> Subject: Re: [OAUTH-WG] more than one assertion?
>
> To be honest, I somehow overlooked that particular text - my mistake and
To be honest, I somehow overlooked that particular text - my mistake
and apologies. Reading it again, it probably does preclude parameters
from repeating, however, I can see some room for varied
interpretations as to if that's a strong normative requirement or a
looser suggestion about an error cod
Can someone pls. explain why code and token should both be returned in the
fragment?
regards,
Torsten.
Am 09.08.2010 um 20:32 schrieb David Recordon :
> The thread wondered a bit but Brian's summary here seems to be what most
> people were advocating for. Is there enough consensus to have Draf
13 matches
Mail list logo
