IETF Logo Mail Archive

Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework

cspzhouroc <cspzhouroc@comp.polyu.edu.hk> Wed, 09 January 2013 07:18 UTC

Return-Path: <cspzhouroc@comp.polyu.edu.hk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0228E21F867D for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 23:18:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.406
X-Spam-Level:
X-Spam-Status: No, score=-2.406 tagged_above=-999 required=5 tests=[AWL=0.192, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYvnBcWVrEjR for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 23:18:16 -0800 (PST)
Received: from mailhost2.comp.polyu.edu.hk (mailhost2.COMP.POLYU.EDU.HK [158.132.20.241]) by ietfa.amsl.com (Postfix) with ESMTP id D5DDA21F867B for <oauth@ietf.org>; Tue, 8 Jan 2013 23:18:15 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id 8EC255039B; Wed, 9 Jan 2013 15:18:12 +0800 (HKT)
X-Virus-Scanned: amavisd-new at comp.polyu.edu.hk
Received: from mailhost2.comp.polyu.edu.hk ([127.0.0.1]) by localhost (mailhost2.comp.polyu.edu.hk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id o8yF7q8Pt9cR; Wed, 9 Jan 2013 15:18:11 +0800 (HKT)
Received: from webmail.comp.polyu.edu.hk (vlinux01.COMP.POLYU.EDU.HK [158.132.8.197]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id 4674350378; Wed, 9 Jan 2013 15:18:11 +0800 (HKT)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_a94ec7b45af4136921b4903934bd9a74"
Date: Wed, 09 Jan 2013 15:18:12 +0800
From: cspzhouroc <cspzhouroc@comp.polyu.edu.hk>
To: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <C932A6E6-3967-4272-99D4-4D10D9A3860B@oracle.com>
References: <190fcb42a851f2dfe73b2614b7880046@comp.polyu.edu.hk> <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com> <CABFKGsdJtR3rX+=Puto2D40F9m4kT+rvR6EyU6mx3aEkxG5VNw@mail.gmail.com> <CAJV9qO_A-_5CbfREFBxXr1efaAG5hVdbOR03BNgWY=iBM11fFg@mail.gmail.com> <d2d4bd929ec0d00960e54bd9a3988bf3@comp.polyu.edu.hk> <C932A6E6-3967-4272-99D4-4D10D9A3860B@oracle.com>
Message-ID: <9d620b0a7e3ab7cd272a05a20f88b6b8@comp.polyu.edu.hk>
X-Sender: cspzhouroc@comp.polyu.edu.hk
User-Agent: RoundCube Webmail/10.5
Cc: Peng Zhou <zpbrent@gmail.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 07:18:17 -0000

  

Do you mean the bounding information must be presented by the RO?
The client cannot trust the RO-client bounding information that is
received from AS? 

On Tue, 8 Jan 2013 23:00:03 -0800, Phil Hunt wrote:


> The idea is to form a bridge between a user, their user-agent, and
the client application while at the same time keeping the security
credential and the client app cred separate. 
> 
> The redirect with
code flow enables the separate contexts to be bound together. 
> 
> As
soon as you do this in one step, then the client app needs to be able to
handle the users credentials (eg uid/pwd) directly. Remember that one of
the original reasons for the auth flow was to eliminate the password
anti-pattern. 
> 
> Phil 
> 
> Sent from my phone. 
> 
> On 2013-01-08,
at 22:52, cspzhouroc wrote:
> 
>> Dear Prabath: 
>> 
>> But is it
possible to include the the mapping between the user request and the
code in the message that the AS sends to the client directly? 
>> 
>>
Best Regards 
>> 
>> Brent 
>> 
>> On Wed, 9 Jan 2013 12:17:19 +0530,
Prabath Siriwardena wrote: 
>> 
>>> On Wed, Jan 9, 2013 at 12:09 PM,
Peng Zhou wrote:
>>> 
>>>> Dear Prabath:
>>>> 
>>>> Thank you very much
for your responses :-)
>>>> 
>>>> However, I am still not quite sure why
the authorization code must be
>>>> sent to the client through the RO's
user-agent?
>>> 
>>> One reason I see is, bringing the authorization
code via User Agent - links the user request to the authorization code.
If AS directly sends the code to the Resource Server the mapping between
the user request and the code is broken. 
>>> Thanks & regards, 
>>>
-Prabath 
>>> 
>>>> Best Regards
>>>> Brent
>>>> 
>>>> 2013/1/9 Prabath
Siriwardena :
>>>> > Prabath
>>> 
>>> -- 
>>> Thanks & Regards,
>>>
Prabath 
>>> Mobile : +94 71 809 6732 
>>> 
>>>
http://blog.facilelogin.com [3]
>>> http://RampartFAQ.com [4]
> 
>>
_______________________________________________
>> OAuth mailing list
>>
OAuth@ietf.org [5]
>> https://www.ietf.org/mailman/listinfo/oauth [6]

 


Links:
------
[1] mailto:prabath@wso2.com
[2]
mailto:zpbrent@gmail.com
[3] http://blog.facilelogin.com
[4]
http://RampartFAQ.com
[5] mailto:OAuth@ietf.org
[6]
https://www.ietf.org/mailman/listinfo/oauth
[7]
mailto:cspzhouroc@comp.polyu.edu.hk

v2.23.0 | Report a Bug | By Email