This kind of fully automated approach isn't solved yet. OAuth isn't
quite as simple as HTTP Basic and its kin, where the user agent can
collect everything it needs directly and just push it back to the
protected URL. In order for this to truly work, you need to have not
just a pointer to the issuer, but a full dynamic registration and
service discovery stack that the client knows about. For starters, the
Client needs to know the Authorization Endpoint and Token Endpoint for
the service, as well as which flows it supports. You'd probably want to
know what kinds of token are supported, too. The authorization server
needs to issue a Client ID and (probably) Client Secret to the Client to
allow it to request tokens at all. Defining those is out of scope for
the core specs, but there's some new work that's getting started around
Host Meta (for discovery) and a dynamic client registration spec that
will address some of the biggest parts of this.
-- Justin
On 05/15/2012 08:12 AM, Sergey Shishkin wrote:
While designing a hypermedia-driven API I'm evaluating possibilities
to use OAuth Bearer tokens for claims-based authorization. Currently I
struggle with how to communicate to the API client the way to obtain
the token. In a hypermedia-driven manner I don't want the API client
to get this information out of band, but rather let the client "just
follow the links".
The Bearer draft
[http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-19#section-3]
advises to send a 401 response with a WWW-Authenticate challenge
specifying optional realm and scope. The problem here: neither realm
nor scope identify the token issuer.
The OAuth 2.0 draft
[http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.1.1]
suggests to redirect the resource owner to the token issuer, IIRC. I
like this way from the hypermedia perspective, but still have mixed
feelings about missed 401 and WWW-Authenticate challenge.
Did I missed some part of draft covering my scenario? Are there any
known grassroots implementations doing just that on the internet? Any
opinion on the subject is very much appreciated.
Thanks in advance,
Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth