Re: [OAUTH-WG] A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework

  

Noted and thank you very much for your help :-) 

On Wed, 9 Jan
2013 00:11:20 -0800, Phil Hunt wrote: 

> Yes
> 
> Phil 
> 
> Sent from
my phone. 
> 
> On 2013-01-09, at 0:09, cspzhouroc wrote:
> 
>> Do you
mean, in the stage that AS notify the authorization code to the client
through the RO, the AS has not authenticated the client yet. Therefore,
the AS cannot send the authorization code to the client directly.
Instead, the AS will authenticate the client when the client send the
authorization code to AS for exchanging an access token? 
>> 
>> On Tue,
8 Jan 2013 23:31:22 -0800, Phil Hunt wrote: 
>> 
>>> The AS is
independently authenticating the user and the client in separate steps.

>>> 
>>> Thus it is the AS binding that relation between user and
client together ultimately in a scoped access token through a 3-leg
process. 
>>> 
>>> Phil 
>>> Sent from my phone. 
>>> 
>>> On
2013-01-08, at 23:18, cspzhouroc wrote:
>>> 
>>>> Do you mean the
bounding information must be presented by the RO? The client cannot
trust the RO-client bounding information that is received from AS? 
>>>>

>>>> On Tue, 8 Jan 2013 23:00:03 -0800, Phil Hunt wrote: 
>>>> 
>>>>>
The idea is to form a bridge between a user, their user-agent, and the
client application while at the same time keeping the security
credential and the client app cred separate. 
>>>>> The redirect with
code flow enables the separate contexts to be bound together. 
>>>>> As
soon as you do this in one step, then the client app needs to be able to
handle the users credentials (eg uid/pwd) directly. Remember that one of
the original reasons for the auth flow was to eliminate the password
anti-pattern. 
>>>>> 
>>>>> Phil 
>>>>> Sent from my phone. 
>>>>>

>>>>> On 2013-01-08, at 22:52, cspzhouroc wrote:
>>>>> 
>>>>>> Dear
Prabath: 
>>>>>> 
>>>>>> But is it possible to include the the mapping
between the user request and the code in the message that the AS sends
to the client directly? 
>>>>>> 
>>>>>> Best Regards 
>>>>>> 
>>>>>>
Brent 
>>>>>> 
>>>>>> On Wed, 9 Jan 2013 12:17:19 +0530, Prabath
Siriwardena wrote: 
>>>>>> 
>>>>>>> On Wed, Jan 9, 2013 at 12:09 PM,
Peng Zhou wrote:
>>>>>>> 
>>>>>>>> Dear Prabath:
>>>>>>>> 
>>>>>>>>
Thank you very much for your responses :-)
>>>>>>>> 
>>>>>>>> However, I
am still not quite sure why the authorization code must be
>>>>>>>> sent
to the client through the RO's user-agent?
>>>>>>> 
>>>>>>> One reason I
see is, bringing the authorization code via User Agent - links the user
request to the authorization code. If AS directly sends the code to the
Resource Server the mapping between the user request and the code is
broken. 
>>>>>>> Thanks & regards, 
>>>>>>> -Prabath 
>>>>>>> 
>>>>>>>>
Best Regards
>>>>>>>> Brent
>>>>>>>> 
>>>>>>>> 2013/1/9 Prabath
Siriwardena :
>>>>>>>> > Prabath
>>>>>>> 
>>>>>>> -- 
>>>>>>> Thanks &
Regards,
>>>>>>> Prabath 
>>>>>>> Mobile : +94 71 809 6732 
>>>>>>>

>>>>>>> http://blog.facilelogin.com [3]
>>>>>>> http://RampartFAQ.com
[4]
>>>>> 
>>>>>> _______________________________________________
>>>>>>
OAuth mailing list
>>>>>> OAuth@ietf.org [5]
>>>>>>
https://www.ietf.org/mailman/listinfo/oauth [6]

  

Links:
------
[1]
mailto:prabath@wso2.com
[2] mailto:zpbrent@gmail.com
[3]
http://blog.facilelogin.com
[4] http://RampartFAQ.com
[5]
mailto:OAuth@ietf.org
[6]
https://www.ietf.org/mailman/listinfo/oauth
[7]
mailto:cspzhouroc@comp.polyu.edu.hk
[8]
mailto:cspzhouroc@comp.polyu.edu.hk
[9]
mailto:cspzhouroc@comp.polyu.edu.hk