I would like to propose an OAuth 2 extension that helps native clients close the loop after the approval page. The extension defines a special value for the redirect URI for the case when the client does not have such a URI and it also defines that the authorization server should provide a default result page for this case and how to format the result on this page.
If a native client does not have a redirect URI then the client can specify the special value "oob" for that parameter. redirect_uri=oob signals to the authorization server that it should use a default result page to show the final result. In this case the authorization server cannot redirect any kind of messages back to the client, not even error responses. The default result page should show the authorization code (code) and instruct the user to copy to native application. The default result page should also show both the authorization code and the passed through client state (state) in the page title, the two parameters should be form-encoded and appear space separated at the end of the normal title Example page title: <title>Success code=123456&state=qwerty</title> Browsers will truncate the title at some browser and OS dependent length. Ideally the whole title should be shorter than 100 characters. The Authorization Server should use a short title prefix and it should make the authorization codes as short as possible. Native clients should try to pass very short state strings and only of really needed. If the user denies, or there are other errors, the default page should similarly display the error code and also put the error message in the title: <title>Denied error=access_denied&state=qwerty</title> References: * Section 6.3.3.2 of draft-hardt-oauth-wrap-01 If there is interest and rough consensus then I can create a formal version of this extension. Thanks, Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth