From what has been discussed in this thread (and other discussions before), I see the need for the following variants:
- code in URI (Web App.) - token in fragment (JS client app) - code in fragment (installed app) - code in URI + token in fragment (Web App. with JS Client?) Any comments? regards, Torsten. Am 10.08.2010 um 19:57 schrieb Torsten Lodderstedt <tors...@lodderstedt.net>: > Thank you for the explanation. > > I now understand that the fragment is used for efficiently passing token or > code on the client side. What I still don't understand is why a client would > need both at once (url 1)? Have you such applications in production? > > regards, > Torsten. > > > > Am 10.08.2010 um 19:23 schrieb Luke Shepard <lshep...@facebook.com>: > >> Here are the possible URLs: >> >> http://static.facebook.com/connect/xd_proxy.php#code=10alkji&access_token=lzipa3p >> http://static.facebook.com/connect/xd_proxy.php?code=10alkji#access_token=lzipa3p >> >> Those who already use this flow in production (including Google, Facebook, >> Twitter, and others) typically work like this: >> >> - Parent frame initiates the transaction by spawning a popup or an iframe >> - Response comes back to a static relay file (like the xd_proxy.php above) >> - The relay interprets the URL, parses out arguments, and hands them to the >> parent frame >> - Parent frame then does what it wants. this could be making an API call via >> JSONP, handing info to the server via Ajax, or something else. >> >> Because the relay file is static, it isn't going to interpret the code >> regardless, even if it is sent in the query parameter. So since the client >> will handle it anyway, the fragment is better for two reasons: >> >> 1/ Less code for the JS to just pull it out of the fragment >> 2/ More efficient, as the relay file can be cached on the client. If you >> include a code then you degrade performance because it busts the cache every >> time. >> >> >> On Aug 10, 2010, at 9:35 AM, Oleg Gryb wrote: >> >>> I was trying to understand that too (see "Is user agent profile secure" >>> thread). The answers that I've got were: >>> >>> 1. It's already coded this way. >>> 2. It's the most efficient way of doing that, because that relay.html page >>> is static and can be cached by a browser. >>> >>> None of the answers above looks very convincing to me, but that's where UA >>> is now. >>> >>> From: Torsten Lodderstedt <tors...@lodderstedt.net> >>> Can someone pls. explain why code and token should both be returned in the >>> fragment? >>> >>> regards, >>> Torsten. >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth