IETF Logo Mail Archive

Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework

Prabath Siriwardena <prabath@wso2.com> Wed, 09 January 2013 06:54 UTC

Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5227621F874F for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 22:54:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQvvfvFsnKiA for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 22:54:43 -0800 (PST)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9AB21F874C for <oauth@ietf.org>; Tue, 8 Jan 2013 22:54:42 -0800 (PST)
Received: by mail-la0-f44.google.com with SMTP id fr10so1502400lab.3 for <oauth@ietf.org>; Tue, 08 Jan 2013 22:54:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=1NQKKPuwQcNVfwMd9MQD2oXQT2ZkgqfP+Xi8Wr4qQ6I=; b=W0T44k0F8ABUPomHyS1UY8MRczVMQuaoMiWBun74OeT1pH/51hHNhCCzEuKkxP+usN b/BFLVXNtFzeNEmxps9ZwTKLWmV2kNBqvxxsxwTBBeGAP6cThQpKtRNKQ7HSsqmT6quI FwufRlyzDCCW4j0fTFRdmrMj56Nvm995bAxSiPPG1b8b8mTQdh1Y/EIxxKJsBE+oloH+ yQJvtgglYlquHp9jTYZVNBcq6i9Nasdin5vaHK+q086d28qi9i2qQ90Pa+8YkFgwItZE zHFHVyG9UuM81j/xbFcrAnxFhM/bjJXn7qOYqELxquCX3K9IkBdE9t0dEan8NGoeTqXl rtiQ==
MIME-Version: 1.0
Received: by 10.152.124.226 with SMTP id ml2mr63311857lab.46.1357714481695; Tue, 08 Jan 2013 22:54:41 -0800 (PST)
Received: by 10.114.69.130 with HTTP; Tue, 8 Jan 2013 22:54:41 -0800 (PST)
In-Reply-To: <d2d4bd929ec0d00960e54bd9a3988bf3@comp.polyu.edu.hk>
References: <190fcb42a851f2dfe73b2614b7880046@comp.polyu.edu.hk> <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com> <CABFKGsdJtR3rX+=Puto2D40F9m4kT+rvR6EyU6mx3aEkxG5VNw@mail.gmail.com> <CAJV9qO_A-_5CbfREFBxXr1efaAG5hVdbOR03BNgWY=iBM11fFg@mail.gmail.com> <d2d4bd929ec0d00960e54bd9a3988bf3@comp.polyu.edu.hk>
Date: Wed, 09 Jan 2013 12:24:41 +0530
Message-ID: <CAJV9qO-rg1X7GoaXtMRVuqA7MZVUh8VW5TGL9+JkQLg4auTy3Q@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: cspzhouroc <cspzhouroc@comp.polyu.edu.hk>
Content-Type: multipart/alternative; boundary="f46d042f96fc634d7404d2d5894a"
X-Gm-Message-State: ALoCoQmMOJd7Yj1QP7f3ZSnLy0s1n/u5mZcuW+NK8FArBxMjgbP5fnJojAG5rIDDAZCxtRGs2C1D
Cc: Peng Zhou <zpbrent@gmail.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 06:54:44 -0000

On Wed, Jan 9, 2013 at 12:22 PM, cspzhouroc <cspzhouroc@comp.polyu.edu.hk>wrote:

> **
>
> Dear Prabath:
>
>
>
> But is it possible to include the the mapping between the user request and
> the code in the message that the AS sends to the client directly?
>

Nope.. We need the mapping between the request and code.. Adding user name
or any identifier to the message sending from AS to Client won't help.
Because browser request has to identify it self.

Thanks & regards,
-Prabath

>
>
> Best Regards
>
> Brent
>
>
>
> On Wed, 9 Jan 2013 12:17:19 +0530, Prabath Siriwardena wrote:
>
>
>
> On Wed, Jan 9, 2013 at 12:09 PM, Peng Zhou <zpbrent@gmail.com> wrote:
>
>> Dear Prabath:
>>
>> Thank you very much for your responses :-)
>>
>> However, I am still not quite sure why the authorization code must be
>> sent to the client through the RO's user-agent?
>>
>  One reason I see is, bringing the authorization code via User Agent -
> links the user request to the authorization code. If AS directly sends the
> code to the Resource Server the mapping between the user request and the
> code is broken.
>  Thanks & regards,
> -Prabath
>
>
>>
>> Best Regards
>> Brent
>>
>> 2013/1/9 Prabath Siriwardena <prabath@wso2.com>:
>> > Prabath
>>
>
>
>
>  --
> Thanks & Regards,
> Prabath
> Mobile : +94 71 809 6732
>
> http://blog.facilelogin.com
> http://RampartFAQ.com
>
>
>



-- 
Thanks & Regards,
Prabath

Mobile : +94 71 809 6732

http://blog.facilelogin.com
http://RampartFAQ.com

v2.23.0 | Report a Bug | By Email