Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
cspzhouroc <cspzhouroc@comp.polyu.edu.hk> Wed, 09 January 2013 06:47 UTC
Return-Path: <cspzhouroc@comp.polyu.edu.hk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E6FE21F84C2 for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 22:47:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67cFnFBhAU9y for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2013 22:47:31 -0800 (PST)
Received: from mailhost2.comp.polyu.edu.hk (mailhost2.COMP.POLYU.EDU.HK [158.132.20.241]) by ietfa.amsl.com (Postfix) with ESMTP id 9CE2621F870A for <oauth@ietf.org>; Tue, 8 Jan 2013 22:47:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id 148665039B; Wed, 9 Jan 2013 14:47:18 +0800 (HKT)
X-Virus-Scanned: amavisd-new at comp.polyu.edu.hk
Received: from mailhost2.comp.polyu.edu.hk ([127.0.0.1]) by localhost (mailhost2.comp.polyu.edu.hk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9Hf9+s1ocU+y; Wed, 9 Jan 2013 14:47:16 +0800 (HKT)
Received: from webmail.comp.polyu.edu.hk (vlinux01.COMP.POLYU.EDU.HK [158.132.8.197]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id 10B885039A; Wed, 9 Jan 2013 14:47:16 +0800 (HKT)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_ef2b283525d6778f9b55f9b895e8d925"
Date: Wed, 09 Jan 2013 14:47:16 +0800
From: cspzhouroc <cspzhouroc@comp.polyu.edu.hk>
To: Prabath Siriwardena <prabath@wso2.com>
In-Reply-To: <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com>
References: <190fcb42a851f2dfe73b2614b7880046@comp.polyu.edu.hk> <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com>
Message-ID: <488e52918442cab2b5bc83c2cdccf662@comp.polyu.edu.hk>
X-Sender: cspzhouroc@comp.polyu.edu.hk
User-Agent: RoundCube Webmail/10.5
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 06:47:32 -0000
Dear Prabath: Thank you very much for your responses :-) However, I am still not quite sure why the authorization code must be sent to the client through the RO's user-agent? Best Regards Brent On Wed, 9 Jan 2013 11:57:50 +0530, Prabath Siriwardena wrote: > Hi Brent, > > Few points, why this doesn't create any security implications.. > > 1. Authorization server maintains a binding to the Client, who the token was issued to. To exchange this to an Access token client should authenticate him self. > 2. Code can only be exchanged once for an acces token. > > Thanks & regards, > -Prabath > > On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc wrote: > >> Dear All: >> >> I have a question in the section 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework. >> >> It tells "which in turn directs the resource owner back to the client with the authorization code." >> >> Who can let me know the reason why is the authorization code sent to client through a redirection in resource owner's agent? Any security implications? >> >> Is it possible to let the authorization server send the authorization code to the client directly (not through resource owner's user-agent)? >> >> Best Regards >> >> Brent >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org [1] >> https://www.ietf.org/mailman/listinfo/oauth [2] > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com [4] > http://RampartFAQ.com [5] Links: ------ [1] mailto:OAuth@ietf.org [2] https://www.ietf.org/mailman/listinfo/oauth [3] mailto:cspzhouroc@comp.polyu.edu.hk [4] http://blog.facilelogin.com [5] http://RampartFAQ.com
- [OAUTH-WG] A question of 1.3.1. Authorization Cod… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- [OAUTH-WG] 答复: Re: 答复: Re: A question of 1.3.1. A… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Justin Richer
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Richer, Justin P.