Re: [OAUTH-WG] user-agent flow needs a rewrite
Brian Eaton <beaton@google.com> Tue, 13 July 2010 18:17 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9FC73A6B4E for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 11:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.762
X-Spam-Level:
X-Spam-Status: No, score=-101.762 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5NQDD1BbxNt9 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 11:17:47 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id CA69D3A6B4C for <oauth@ietf.org>; Tue, 13 Jul 2010 11:17:04 -0700 (PDT)
Received: from wpaz9.hot.corp.google.com (wpaz9.hot.corp.google.com [172.24.198.73]) by smtp-out.google.com with ESMTP id o6DIHBRS016248 for <oauth@ietf.org>; Tue, 13 Jul 2010 11:17:12 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1279045032; bh=M6IZdmN771JlcH3JDjd2W1XzdwM=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=Fu9CjZ8RG/MK7llGN4VULs8z+aTs2IcFNgyI8enpwEcV21pSNQdvpWdoWRkbA0vxK ER9DGOVE43i6+cAN8R3OQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=LOiIZhVp24oB4rOA0hlfb5yNTye8x1DAskPjxYPkP++9K++fT8Nnjmvx+VhsHJKvp /7KWpvisMiKiO13+jRTgQ==
Received: from pxi3 (pxi3.prod.google.com [10.243.27.3]) by wpaz9.hot.corp.google.com with ESMTP id o6DIHAuF019298 for <oauth@ietf.org>; Tue, 13 Jul 2010 11:17:10 -0700
Received: by pxi3 with SMTP id 3so2843601pxi.25 for <oauth@ietf.org>; Tue, 13 Jul 2010 11:17:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.144.16 with SMTP id r16mr19203651wfd.60.1279045029705; Tue, 13 Jul 2010 11:17:09 -0700 (PDT)
Received: by 10.142.193.19 with HTTP; Tue, 13 Jul 2010 11:17:09 -0700 (PDT)
In-Reply-To: <AANLkTilY8Zuv-wyBiEJMhe6b6r_v_jiPtXaK7HO8jERe@mail.gmail.com>
References: <C85F1725.36FD1%eran@hueniverse.com> <ABEF9F68-F006-4BDD-804D-DEF9CB4C1E29@facebook.com> <AANLkTilY8Zuv-wyBiEJMhe6b6r_v_jiPtXaK7HO8jERe@mail.gmail.com>
Date: Tue, 13 Jul 2010 11:17:09 -0700
Message-ID: <AANLkTil6M4snGRdfsC5vwNPscaCYKqXqYq2F2zNKhhXP@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: David Recordon <recordond@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 18:17:48 -0000
On Tue, Jul 13, 2010 at 9:42 AM, David Recordon <recordond@gmail.com> wrote: >> That strikes me as very odd - returning some params in the query, and >> others in the fragment is just weird. > > I actually think that you want this – albiet odd – combination when > requesting both a code and token. The code and state parameters are needed > by the server and thus are query parameters. The access token, scope, and > expires in shouldn't be sent to the server via HTTP and thus are within > the fragment for the JavaScript to access. The problem is that if you do it this way you end up busting the browser cache. All of the performance improvements offered by the user-agent profile are lost. Cheers, Brian
- [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Luke Shepard
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite David Recordon
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Blaine Cook
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Bouiaw