cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig McClanahan <craig...@apache.org>
Subject Implementing the OAuth 2.0 Authorization Code Grant Flow
Date Tue, 22 Jan 2013 05:26:17 GMT
(Cross-posted from users@ in case the relevant devs only listen here).

I'm using CXF 2.7.2 and building out a server that will support the various
flows, in particular the Authorization Code Grant flow[1].  I'm a bit
puzzled, though, about the way that
RedirectionBasedGrantService#startAuthorization()
expects the end user to have already authenticated to the authorization
server.  This seems different from the way I've seen OAuth 2 implemented at
places like salesforce.com, where the /authorize endpoint allows the user
to *both* authenticate themselves (username and password) *and* authorize
the particular client.

Was this design intentional?  If so, is there a recommended technique to
implement this flow that *does* allow a combination of authentication and
authorization in a single redirect flow?

Craig McClanahan

[1] http://tools.ietf.org/html/rfc6749#section-4.1

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message