i want know if permissible pass user's oauth 2.0 access token between applications , use method of logging them in.
i have iphone application uses password grant authenticate user, , uses access token future requests. iphone application able open our website in tab, , want user logged in our website when tab opens.
under oauth 2.0 spec, permissible pass token web request , have the web server authenticate , log user in request?
for example, browser might open following location (but use header, instead of query string):
https://example.com/account?access_token=foo_bar alternatively, dedicated endpoint oauth authentication , redirect used.
so in effect, question in 2 parts; can oauth 2.0 token shared between application contexts , can token used authenticate user in context?
in oauth 2.0 spec (rfc 6749), there couple of areas may relevant. client can receive access_token accepted multiple resource_servers if client comprised of multiple components different security contexts, should register each 1 , use different token:
single token across multiple resource servers
a single authorization server may issue access tokens accepted multiple resource servers. single client multiple components
a client may implemented distributed set of components, each different client type , security context (e.g., distributed client both confidential server-based component , public browser-based component). if authorization server not provide support such clients or not provide guidance regard registration, client should register each component separate client. 
Comments
Post a Comment