can Oauth information flow from client to server then used by the server directly?
Hello My scenario is the following.
Client Application (on mobile phone) connects to Facebook via normal authentication process. User gives consent to the application to access profile, gets back authorization code for the user. With that code, plus application id and secret, the client gets an access token to access the information.
Can the authorization code be passed to a web service, which in turn does a call to Facebook to obtain an access token the same way?
I am not sure that is possible beca开发者_运维百科use reading documentation it looks like the access token API requires a redirect uri as a parameter. Here instead, there would be a web service call waiting to complete.
Hope this is not confusing... :)
thanks in advance
"I am not sure that is possible because reading documentation it looks like the access token API requires a redirect uri as a parameter."
The spec says
redirect_uri (of the access-token request):
REQUIRED, if the "redirect_uri" parameter was included in the authorization request ... their values MUST be identical.
technically, the client can pass the server the authorization-code and the "redirect-uri", so the server makes the call with the same redirect-uri as the client, and if you control both ends it might work. However, the tricky part is that the client must also send the server the client-id and the client-secret. And if that happens, it contradicts all the idea of oAuth2.
精彩评论