Dear oAuth2 team, I'm currently working on the way we will implement oAuth2 in our company. (Poken.com)
I've an interesting flow to work on: We delegate the account creation and account authentication mechanism to an external oAuth2 provider. What it means: We have a mobile application, you can choose the way you want to login. - User and Password - Facebook (Microsoft, Google, Twitter, and other oAuth2 provider later) Based on the facebook access_token or code, we return a poken access_token. We have a similar flow in our web application (is on top of our API). >From a technical point: When we login using Facebook, we get the "code" or access_token (linked to our client_id access on Facebook). This part is the responsibility of the UI/mobile application. Facebook client_secret is not shared with Facebook. The mobile application then call our API. (Not implemented yet) https://api.poken.com/oauth2/authorize? grant_type=poken_extenal_oauth2& service=facebook.com& service_secret={facebook_access_token or code}& client_id={appid-phphub}&client_secret={apppass-phphub}& response_type = token In our API we exchange the facebook code for a facebook access_token and get the facebook_account_id of the user on Facebook. If this facebook_account_id is linked to a poken account on our system, we return a poken access_token for this account. With this access_token, the client can use our API. I call this flow "oAuth2 Chain Flow" I think it's a quite interesting flow, because it's more and more frequent to delegate the authentication to another website/service. (Even more when you are not part of the biggest sites.) What do you think of this aspect of authentication? Did you already spoke about this flow? Do we have some specifications for this flow? Best regards, Gabriel Klein (poken.com) _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
