I would like to propose an OAuth 2 extension that helps native clients
close the loop after the approval page. The extension defines a
special value for the redirect URI for the case when the client does
not have such a URI and it also defines that the authorization server
should provide a default result page for this case and how to format
the result on this page.
If a native client does not have a redirect URI then the client can
specify the special value "oob" for that parameter.
redirect_uri=oob signals to the authorization server that it should
use a default result page to show the final result.
In this case the authorization server cannot redirect any kind of
messages back to the client, not even error responses.
The default result page should show the authorization code (code) and
instruct the user to copy to native application.
The default result page should also show both the authorization code
and the passed through client state (state) in the page title, the two
parameters should be form-encoded and appear space separated at the
end of the normal title
Example page title:
<title>Success code=123456&state=qwerty</title>
Browsers will truncate the title at some browser and OS dependent
length. Ideally the whole title should be shorter than 100 characters.
The Authorization Server should use a short title prefix and it should
make the authorization codes as short as possible. Native clients
should try to pass very short state strings and only of really needed.
If the user denies, or there are other errors, the default page should
similarly display the error code and also put the error message in the
title:
<title>Denied error=access_denied&state=qwerty</title>
References:
* Section 6.3.3.2 of draft-hardt-oauth-wrap-01
If there is interest and rough consensus then I can create a formal
version of this extension.
Thanks,
Marius
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
