cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig McClanahan <>
Subject Re: Implementing the OAuth 2.0 Authorization Code Grant Flow
Date Tue, 22 Jan 2013 16:54:54 GMT
On Tue, Jan 22, 2013 at 3:22 AM, Sergey Beryozkin <>wrote:

> Hi Craig
> Actually, I may've just got it :-), you'd like to have a user, after an
> initial redirect, facing a form asking both for the authentication info and
> the authorization approval ?
> Yep, exactly.

> Hmm... I think 1) and 2) above is OK, the only downside is the not too
> ideal user experience, where one dialog (authentication) is followed up by
> another one (authorization). This is mitigated if SSO is in place.
> But I wonder if presenting the authorization request to the user which has
> not yet authenticated is actually safe. One limitation is also that the
> authorization request page can not be personalized, for ex, if the user has
> authenticated then the page may say "Welcome Barry, the following
> third-party app would like to ...".
> By the way, looks like according to
> oauth_web_server_flow.htm<>
> and
> oauth_web_server_flow.htm<>
> What's not obvious from these diagrams is that the SalesForce "authorize"
endpoint ( does not
require the user to be logged on yet, so you can do both operations on a
single request.  I've suppose we'd want to recognize the user if they have
been logged in, but allow them to log in and authorize if not.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message