IETF Logo Mail Archive

Re: [OAUTH-WG] user-agent flow needs a rewrite

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 13 July 2010 18:39 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 821CD3A6974 for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 11:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.459
X-Spam-Level:
X-Spam-Status: No, score=-2.459 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQZsY3om8TAe for <oauth@core3.amsl.com>; Tue, 13 Jul 2010 11:39:18 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id A7B223A67CF for <oauth@ietf.org>; Tue, 13 Jul 2010 11:39:18 -0700 (PDT)
Received: (qmail 15546 invoked from network); 13 Jul 2010 18:39:27 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 13 Jul 2010 18:39:26 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Tue, 13 Jul 2010 11:39:27 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Eaton <beaton@google.com>, David Recordon <recordond@gmail.com>
Date: Tue, 13 Jul 2010 11:39:25 -0700
Thread-Topic: [OAUTH-WG] user-agent flow needs a rewrite
Thread-Index: Acsit77n+C9kltBLTq+CdDlLlYX2sAAAvi0G
Message-ID: <C86200ED.371CC%eran@hueniverse.com>
In-Reply-To: <AANLkTil6M4snGRdfsC5vwNPscaCYKqXqYq2F2zNKhhXP@mail.gmail.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_C86200ED371CCeranhueniversecom_"
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] user-agent flow needs a rewrite
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2010 18:39:22 -0000

Isn't that better overall than requiring the browser to make another HTTP request to pass the code over?

EHL


On 7/13/10 11:17 AM, "Brian Eaton" <beaton@google.com> wrote:

On Tue, Jul 13, 2010 at 9:42 AM, David Recordon <recordond@gmail.com> wrote:
>> That strikes me as very odd - returning some params in the query, and
>> others in the fragment is just weird.
>
> I actually think that you want this - albiet odd - combination when
> requesting both a code and token. The code and state parameters are needed
> by the server and thus are query parameters. The access token, scope, and
> expires in shouldn't be sent to the server via HTTP and thus are within
> the fragment for the JavaScript to access.

The problem is that if you do it this way you end up busting the
browser cache.  All of the performance improvements offered by the
user-agent profile are lost.

Cheers,
Brian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.35.0 | Report a Bug | By Email | System Status