Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
Prabath Siriwardena <prabath@wso2.com> Wed, 09 January 2013 06:27 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3557421F865D for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 22:27:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeIFMDa3y5w7 for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 22:27:58 -0800 (PST)
Received: from mail-la0-f45.google.com (mail-la0-f45.google.com [209.85.215.45]) by ietfa.amsl.com (Postfix) with ESMTP id E088B21F8506 for <oauth@ietf.org>; Tue, 8 Jan 2013 22:27:52 -0800 (PST)
Received: by mail-la0-f45.google.com with SMTP id ep20so1444804lab.4 for <oauth@ietf.org>; Tue, 08 Jan 2013 22:27:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=Cfb4HHSCBuYCGOSslja+AKRPJMooBSUeZoDkonbRKhU=; b=P9dhJPtvqLIjBDRtjL/umqanRVa+XAFIWUf6YE4XZ/DD/TsAYOpeXpeGspWhm8QXMH 7lRRYSmP/uyBIiHaz3puUu6HfEjlOEPMuCX4Afy6wETqCSZkmb4qjFbYrB7aS6FbplWL bj0S9PcG4/KUkEVYJvOdnJhG1SX0nWLzow5OzD1bf6Zp9LuA2x0+TL7htfZy9M5gPbXK hYTsXUmPFW/A7/fB6ri46oYayqgh55mSDUgFTJOvGbFNU5xb4cuH6itDVccZPow+b1yd IiA4RjxZgZ9mP7i8NIsnBKVamI2I6tDct9YmlXFGAXc21uBVOBEc1mLkPnf3xsxcJEXx zC9w==
MIME-Version: 1.0
Received: by 10.152.111.166 with SMTP id ij6mr64789478lab.47.1357712870924; Tue, 08 Jan 2013 22:27:50 -0800 (PST)
Received: by 10.114.69.130 with HTTP; Tue, 8 Jan 2013 22:27:50 -0800 (PST)
In-Reply-To: <190fcb42a851f2dfe73b2614b7880046@comp.polyu.edu.hk>
References: <190fcb42a851f2dfe73b2614b7880046@comp.polyu.edu.hk>
Date: Wed, 09 Jan 2013 11:57:50 +0530
Message-ID: <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: cspzhouroc <cspzhouroc@comp.polyu.edu.hk>
Content-Type: multipart/alternative; boundary="f46d040891f560e33404d2d5295a"
X-Gm-Message-State: ALoCoQnFR5GZspgxRKisCex5S+4JH9OfGHJFUZqDRSRob62YQrGKiusIh6sxRGFRgSFGPPvJz1ik
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 06:27:59 -0000
Hi Brent, Few points, why this doesn't create any security implications.. 1. Authorization server maintains a binding to the Client, who the token was issued to. To exchange this to an Access token client should authenticate him self. 2. Code can only be exchanged once for an acces token. Thanks & regards, -Prabath On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc <cspzhouroc@comp.polyu.edu.hk>wrote: > ** > > Dear All: > > I have a question in the section 1.3.1. Authorization Code in rfc6749 The > OAuth 2.0 Authorization Framework. > > It tells "which in turn directs the resource owner back to the client with > the authorization code." > > Who can let me know the reason why is the authorization code sent to client > through a redirection in resource owner's agent? Any security > implications? > > Is it possible to let the authorization server send the authorization code > to the client directly (not through resource owner's user-agent)? > > Best Regards > Brent > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
- [OAUTH-WG] A question of 1.3.1. Authorization Cod… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- [OAUTH-WG] 答复: Re: 答复: Re: A question of 1.3.1. A… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Justin Richer
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Richer, Justin P.