cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Łukasz Moreń <>
Subject Re: OAuth authorization endpoint - conditional redirect
Date Thu, 08 Jul 2010 17:06:24 GMT

> I'm wondering should the server try to redirect the end user back to the
> consumer first, provided the consumer did register a callback ? The consumer
> will recognize that no verifier is available and will reply back to the end
> user : "can not access your resource because the server thought my request
> token was invalid" (just an example), so it will be the responsibility of
> the consumer as to what to say if the request token expired or something.
> Though if no callback is available then the server will have to reply to the
> end user indeed...

I got suggested by current OAuth providers, i.e. google or twitter
show information about invalid request on the server side.
Approach that error response is sent to the client is I think included
in current OAuth 2.0 spec. Hovewer callback_uri is required there
either through preregistration or request parameter, in 1.0, as you
mentioned may not be available.

I would go with server response to the user as it solves both cases
where callback is available or not.

>> So far I use RequestDispatcherProvider, but I am stuck a bit, hot to
>> perform a conditional redirection (i.e. depends on object passed to
>> MessageBodyWriter).
>> I haven't found any easy way to do that. I can write custom
>> RequestDispatcherProvider based on existing one, but maybe there is
>> easier way?
>> Perhaps a simpler option is to handle it by using
> Response.seeOther(relativeUri) in a service provider method which does the
> validation which will redirect the user to a dedicated method handling
> errors...

Thanks, that's simpler way:).


> cheers, Sergey
> Thanks for help.
>> Cheers,
>> Lukasz

View raw message