cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig McClanahan <craig...@gmail.com>
Subject Re: Implementing the OAuth 2.0 Authorization Code Grant Flow
Date Tue, 22 Jan 2013 16:54:54 GMT
On Tue, Jan 22, 2013 at 3:22 AM, Sergey Beryozkin <sberyozkin@gmail.com>wrote:

> Hi Craig
>
> Actually, I may've just got it :-), you'd like to have a user, after an
> initial redirect, facing a form asking both for the authentication info and
> the authorization approval ?
>
> Yep, exactly.


> Hmm... I think 1) and 2) above is OK, the only downside is the not too
> ideal user experience, where one dialog (authentication) is followed up by
> another one (authorization). This is mitigated if SSO is in place.
>
> But I wonder if presenting the authorization request to the user which has
> not yet authenticated is actually safe. One limitation is also that the
> authorization request page can not be personalized, for ex, if the user has
> authenticated then the page may say "Welcome Barry, the following
> third-party app would like to ...".
>
> By the way, looks like according to
>
> http://help.salesforce.com/**help/doc/en/remoteaccess_**
> oauth_web_server_flow.htm<http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm>
> and
> http://help.salesforce.com/**help/doc/en/remoteaccess_**
> oauth_web_server_flow.htm<http://help.salesforce.com/help/doc/en/remoteaccess_oauth_web_server_flow.htm>
>
> What's not obvious from these diagrams is that the SalesForce "authorize"
endpoint (https://login.salesforce.com/services/oauth2/authorize) does not
require the user to be logged on yet, so you can do both operations on a
single request.  I've suppose we'd want to recognize the user if they have
been logged in, but allow them to log in and authorize if not.

Craig

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message