Re: [OAUTH-WG] user-agent flow needs a rewrite
David Recordon <recordond@gmail.com> Tue, 13 July 2010 16:42 UTC
Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 168EC3A6A70 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 09:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wqg+O8PwYmn9 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 09:42:12 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 13F023A6848 for <oauth@ietf.org>; Tue, 13 Jul 2010 09:42:12 -0700 (PDT)
Received: by gwj19 with SMTP id 19so1167464gwj.31 for <oauth@ietf.org>; Tue, 13 Jul 2010 09:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=tZ4v8udv/Qmcm/ZrbrM2OiqAfwYlkT0IvjVOIXT81LU=; b=AOFp+7PsezHgA9eCHKMzflhakTLmT9Bj5q3bzP2kC+XU2I4vWzvkvfqn8o0/6g3cb8 rzObJK4kNMqPH/JSga1VMj4WjKxSgMU3GOqEmm9PZGGaNjzYtswKLlD12yndAHZQM6xh yzkzTAVVz7otnjz39SzUzHHzA0qu2moLgvRWg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=QNQHO86qj8h08FGUt7ZDG8hiaxZHeRbxUA9sDfbT7hyzr+R25Uax3ecHwVTSI1ivmj QlxJxseWpB0yL1FKCOH0qDL4fTj0PGuLxnG7c3f+e+Gm802noI99wdo2By+Ih/2AzP9c VGfhxG32xcRFCCmIRlP+ntmpQ+D0qMzyYQZZc=
MIME-Version: 1.0
Received: by 10.101.159.1 with SMTP id l1mr14814899ano.60.1279039336377; Tue, 13 Jul 2010 09:42:16 -0700 (PDT)
Received: by 10.231.196.88 with HTTP; Tue, 13 Jul 2010 09:42:16 -0700 (PDT)
In-Reply-To: <ABEF9F68-F006-4BDD-804D-DEF9CB4C1E29@facebook.com>
References: <C85F1725.36FD1%eran@hueniverse.com> <ABEF9F68-F006-4BDD-804D-DEF9CB4C1E29@facebook.com>
Date: Tue, 13 Jul 2010 09:42:16 -0700
Message-ID: <AANLkTilY8Zuv-wyBiEJMhe6b6r_v_jiPtXaK7HO8jERe@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Luke Shepard <lshepard@facebook.com>
Content-Type: multipart/alternative; boundary="0016e68fcff74c7186048b478d92"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 16:42:13 -0000
On Tue, Jul 13, 2010 at 1:06 AM, Luke Shepard <lshepard@facebook.com> wrote: > I just read this bit: > > If the response type is "code_and_token", the authorization server > adds the "code" and "state" parameters to the redirection URI query > component and the "access_token", "scope", and "expires_in" to the > redirection URI fragment using the > "application/x-www-form-urlencoded" format as defined by > > That strikes me as very odd - returning some params in the query, and > others in the fragment is just weird. > I actually think that you want this – albiet odd – combination when requesting both a code and token. The code and state parameters are needed by the server and thus are query parameters. The access token, scope, and expires in shouldn't be sent to the server via HTTP and thus are within the fragment for the JavaScript to access. I think the request should specify whether it wants the response in the > fragment or query. > You can't always put them into the query because you'd be exposing an access token over HTTP. If you always put them into the fragment then you need to write JavaScript which passes the code and state down to the server.
- [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Luke Shepard
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite David Recordon
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Blaine Cook
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Eran Hammer-Lahav
- Re: [OAUTH-WG] user-agent flow needs a rewrite Brian Eaton
- Re: [OAUTH-WG] user-agent flow needs a rewrite Naitik Shah
- Re: [OAUTH-WG] user-agent flow needs a rewrite Bouiaw