[OAUTH-WG] 答复: Re: A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
zhou.sujing@zte.com.cn Wed, 09 January 2013 06:37 UTC
Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F31B21F843C; Tue, 8 Jan 2013 22:37:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -93.55
X-Spam-Level:
X-Spam-Status: No, score=-93.55 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, SARE_SUB_ENC_GB2312=1.345, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uCnBu1f6L7t; Tue, 8 Jan 2013 22:37:10 -0800 (PST)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 9642721F8439; Tue, 8 Jan 2013 22:37:10 -0800 (PST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id A9588126A163; Wed, 9 Jan 2013 14:39:28 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id r096anWL096983; Wed, 9 Jan 2013 14:36:49 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com>
To: Prabath Siriwardena <prabath@wso2.com>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF09F85034.34A94363-ON48257AEE.00243414-48257AEE.002458A9@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Wed, 09 Jan 2013 14:36:37 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-01-09 14:36:47, Serialize complete at 2013-01-09 14:36:47
Content-Type: multipart/alternative; boundary="=_alternative 002458A748257AEE_="
X-MAIL: mse02.zte.com.cn r096anWL096983
Cc: oauth-bounces@ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] 答复: Re: A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 06:37:14 -0000
Then why not let auth code be sent directly from AS to Client? Just want to inform RO that an auth code has been dilivered to Client? oauth-bounces@ietf.org 写于 2013-01-09 14:27:50: > Hi Brent, > > Few points, why this doesn't create any security implications.. > > 1. Authorization server maintains a binding to the Client, who the > token was issued to. To exchange this to an Access token client > should authenticate him self. > 2. Code can only be exchanged once for an acces token. > > Thanks & regards, > -Prabath > On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc <cspzhouroc@comp.polyu.edu.hk > > wrote: > Dear All: > > I have a question in the section 1.3.1. Authorization Code in rfc6749 > The OAuth 2.0 Authorization Framework. > > It tells "which in turn directs the resource owner back to the client > with the authorization code." > > Who can let me know the reason why is the authorization code sent to > client through a redirection in resource owner's agent? Any security > implications? > > Is it possible to let the authorization server send the authorization > code to the client directly (not through resource owner's user-agent)? > > Best Regards > Brent > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] A question of 1.3.1. Authorization Cod… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- [OAUTH-WG] 答复: Re: 答复: Re: A question of 1.3.1. A… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Justin Richer
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Richer, Justin P.