AuthorizationController different behavior between responce_type=code and token on Rack::OAuth2 Sample Server (Bearer)

118 views
Skip to first unread message

fuminori ido

unread,
Oct 3, 2011, 8:12:26 AM10/3/11
to Rack::OAuth2
Dear,

Let me ask the different behavior between two response_type(code/
token) on Rack::OAuth2 sample AuthorizationsController action.

I tried to access sample site: https://rack-oauth2-sample.heroku.com/
After registering client and doing authorization request on client
page
(https://rack-oauth2-sample.heroku.com/clients/##) by clicking the
link and pushing approve button,

1. when response_type = :code, the redirected url is as follows:

http://CLIENT_PATH?code=....

2. when response_type = :token, the redirected url is as follows
( '#', not '?' on access_token):

http://CLIENT_PATH#access_token=... # actual result
http://CLIENT_PATH?access_token=... # my expectation

Is this expected behavior? Please let me know.

matake@gmail

unread,
Oct 3, 2011, 8:56:39 AM10/3/11
to rack-...@googlegroups.com
Yes, it's the expected behavior.
When redirect response includes an access token, all response parameters are included in the redirect URI fragment.

See "Implicit Grant" section in core spec for more details.
http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2

fuminori ido

unread,
Oct 5, 2011, 11:39:52 AM10/5/11
to Rack::OAuth2
Thanks for your prompt reply. I understand that I need to learn
more...
Reply all
Reply to author
Forward
0 new messages