Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8E1DBE636 for ; Tue, 22 Jan 2013 16:55:23 +0000 (UTC) Received: (qmail 17418 invoked by uid 500); 22 Jan 2013 16:55:22 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 17356 invoked by uid 500); 22 Jan 2013 16:55:22 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 17265 invoked by uid 99); 22 Jan 2013 16:55:22 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Jan 2013 16:55:22 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of craigmcc@gmail.com designates 209.85.215.54 as permitted sender) Received: from [209.85.215.54] (HELO mail-la0-f54.google.com) (209.85.215.54) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Jan 2013 16:55:15 +0000 Received: by mail-la0-f54.google.com with SMTP id gw10so6955921lab.13 for ; Tue, 22 Jan 2013 08:54:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:reply-to:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=VpJODWwRRoq13AoLxbIAtNN1Kni8pEiDF0EHf0ETg5A=; b=zcOCm43SULqu3mQ1snvfU2QALlGtfiZmSrXBL02SQv+4KmD9kV6XnN1UbWKz/IpoaD 8FuyAtKpC7WBmdb7a8dHhKJXxgiPk7OaeIgGJ9dG/wVn+a0IgKmXuzTQgkrGdJ3wAXo1 aafZ+KImdx0wdOvggKkbMSneeXK70MbO48woj1r+zCyT/HE2NXoLqrSt4FIEPoGre7U7 H9v+j6CFmGmVPCaZwFjy2UfHMcaQsS/pB0936sWUy19erFKtnxfAC8EdGqamaUN3uLeB LwQpfokpZ2SbH8Hr6va+PhcxHxEmXXgunXNrlSvcT3k+sUairMAARq1tAWhpqQAKhXtJ r5vQ== MIME-Version: 1.0 X-Received: by 10.112.41.202 with SMTP id h10mr9445691lbl.20.1358873695086; Tue, 22 Jan 2013 08:54:55 -0800 (PST) Received: by 10.152.21.199 with HTTP; Tue, 22 Jan 2013 08:54:54 -0800 (PST) Reply-To: craigmcc@gmail.com In-Reply-To: <50FE7690.7060201@gmail.com> References: <50FE7690.7060201@gmail.com> Date: Tue, 22 Jan 2013 08:54:54 -0800 Message-ID: Subject: Re: Implementing the OAuth 2.0 Authorization Code Grant Flow From: Craig McClanahan To: users@cxf.apache.org Content-Type: multipart/alternative; boundary=e0cb4efa6dfce3ea2d04d3e36fc5 X-Virus-Checked: Checked by ClamAV on apache.org --e0cb4efa6dfce3ea2d04d3e36fc5 Content-Type: text/plain; charset=ISO-8859-1 On Tue, Jan 22, 2013 at 3:22 AM, Sergey Beryozkin wrote: > Hi Craig > > Actually, I may've just got it :-), you'd like to have a user, after an > initial redirect, facing a form asking both for the authentication info and > the authorization approval ? > > Yep, exactly. > Hmm... I think 1) and 2) above is OK, the only downside is the not too > ideal user experience, where one dialog (authentication) is followed up by > another one (authorization). This is mitigated if SSO is in place. > > But I wonder if presenting the authorization request to the user which has > not yet authenticated is actually safe. One limitation is also that the > authorization request page can not be personalized, for ex, if the user has > authenticated then the page may say "Welcome Barry, the following > third-party app would like to ...". > > By the way, looks like according to > > http://help.salesforce.com/**help/doc/en/remoteaccess_** > oauth_web_server_flow.htm > and > http://help.salesforce.com/**help/doc/en/remoteaccess_** > oauth_web_server_flow.htm > > What's not obvious from these diagrams is that the SalesForce "authorize" endpoint (https://login.salesforce.com/services/oauth2/authorize) does not require the user to be logged on yet, so you can do both operations on a single request. I've suppose we'd want to recognize the user if they have been logged in, but allow them to log in and authorize if not. Craig --e0cb4efa6dfce3ea2d04d3e36fc5--