Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
cspzhouroc <cspzhouroc@comp.polyu.edu.hk> Wed, 09 January 2013 07:18 UTC
Return-Path: <cspzhouroc@comp.polyu.edu.hk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0228E21F867D for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 23:18:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.406
X-Spam-Level:
X-Spam-Status: No, score=-2.406 tagged_above=-999 required=5 tests=[AWL=0.192, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYvnBcWVrEjR for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 23:18:16 -0800 (PST)
Received: from mailhost2.comp.polyu.edu.hk (mailhost2.COMP.POLYU.EDU.HK [158.132.20.241]) by ietfa.amsl.com (Postfix) with ESMTP id D5DDA21F867B for <oauth@ietf.org>; Tue, 8 Jan 2013 23:18:15 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id 8EC255039B; Wed, 9 Jan 2013 15:18:12 +0800 (HKT)
X-Virus-Scanned: amavisd-new at comp.polyu.edu.hk
Received: from mailhost2.comp.polyu.edu.hk ([127.0.0.1]) by localhost (mailhost2.comp.polyu.edu.hk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id o8yF7q8Pt9cR; Wed, 9 Jan 2013 15:18:11 +0800 (HKT)
Received: from webmail.comp.polyu.edu.hk (vlinux01.COMP.POLYU.EDU.HK [158.132.8.197]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id 4674350378; Wed, 9 Jan 2013 15:18:11 +0800 (HKT)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_a94ec7b45af4136921b4903934bd9a74"
Date: Wed, 09 Jan 2013 15:18:12 +0800
From: cspzhouroc <cspzhouroc@comp.polyu.edu.hk>
To: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <C932A6E6-3967-4272-99D4-4D10D9A3860B@oracle.com>
References: <190fcb42a851f2dfe73b2614b7880046@comp.polyu.edu.hk> <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com> <CABFKGsdJtR3rX+=Puto2D40F9m4kT+rvR6EyU6mx3aEkxG5VNw@mail.gmail.com> <CAJV9qO_A-_5CbfREFBxXr1efaAG5hVdbOR03BNgWY=iBM11fFg@mail.gmail.com> <d2d4bd929ec0d00960e54bd9a3988bf3@comp.polyu.edu.hk> <C932A6E6-3967-4272-99D4-4D10D9A3860B@oracle.com>
Message-ID: <9d620b0a7e3ab7cd272a05a20f88b6b8@comp.polyu.edu.hk>
X-Sender: cspzhouroc@comp.polyu.edu.hk
User-Agent: RoundCube Webmail/10.5
Cc: Peng Zhou <zpbrent@gmail.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 07:18:17 -0000
Do you mean the bounding information must be presented by the RO? The client cannot trust the RO-client bounding information that is received from AS? On Tue, 8 Jan 2013 23:00:03 -0800, Phil Hunt wrote: > The idea is to form a bridge between a user, their user-agent, and the client application while at the same time keeping the security credential and the client app cred separate. > > The redirect with code flow enables the separate contexts to be bound together. > > As soon as you do this in one step, then the client app needs to be able to handle the users credentials (eg uid/pwd) directly. Remember that one of the original reasons for the auth flow was to eliminate the password anti-pattern. > > Phil > > Sent from my phone. > > On 2013-01-08, at 22:52, cspzhouroc wrote: > >> Dear Prabath: >> >> But is it possible to include the the mapping between the user request and the code in the message that the AS sends to the client directly? >> >> Best Regards >> >> Brent >> >> On Wed, 9 Jan 2013 12:17:19 +0530, Prabath Siriwardena wrote: >> >>> On Wed, Jan 9, 2013 at 12:09 PM, Peng Zhou wrote: >>> >>>> Dear Prabath: >>>> >>>> Thank you very much for your responses :-) >>>> >>>> However, I am still not quite sure why the authorization code must be >>>> sent to the client through the RO's user-agent? >>> >>> One reason I see is, bringing the authorization code via User Agent - links the user request to the authorization code. If AS directly sends the code to the Resource Server the mapping between the user request and the code is broken. >>> Thanks & regards, >>> -Prabath >>> >>>> Best Regards >>>> Brent >>>> >>>> 2013/1/9 Prabath Siriwardena : >>>> > Prabath >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com [3] >>> http://RampartFAQ.com [4] > >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org [5] >> https://www.ietf.org/mailman/listinfo/oauth [6] Links: ------ [1] mailto:prabath@wso2.com [2] mailto:zpbrent@gmail.com [3] http://blog.facilelogin.com [4] http://RampartFAQ.com [5] mailto:OAuth@ietf.org [6] https://www.ietf.org/mailman/listinfo/oauth [7] mailto:cspzhouroc@comp.polyu.edu.hk
- [OAUTH-WG] A question of 1.3.1. Authorization Cod… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- [OAUTH-WG] 答复: Re: 答复: Re: A question of 1.3.1. A… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Justin Richer
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Richer, Justin P.