----- Original Message ----
> From: Michael D Adams <m...@automattic.com>
> I thought that page in your idea was being served from the
> Authorization Server (not the Resource Server). If that's true, the
> cookie would be on the wrong domain.
It might be a problem if resource and authz servers are in different domains,
but in all discussions with Brian we used that "service provider" term and I've
assumed that service provider acts like authz server and resource server or at
least latter two are in the same domain.
I think it's a common scenario for web apps when authentication logic resides
on
the same web server where protected resources are.
It's not the major point though. The hypothesis that I'm trying to prove is
that
access token doesn't need to be transferred in a URL.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth