Closed shane-tomlinson closed 6 years ago
I am worried that from an OAuth server point of view the action
param is way too generic.
I am worried that from an OAuth server point of view the action param is way too generic.
Can you expand?
@shane-tomlinson ah I see we already had in the codebase. It's ok then, I will just try to remember what action
means and does more :P.
@shane-tomlinson ah I see we already had in the codebase. It's ok then, I will just try to remember what action means and does more :P.
I had a quick look at both the OpenID Connect and OAuth 2 spec and didn't find mention of an action
query parameter anywhere, though section 3.1.2.1 of the OpenID Connect spec says that "Other parameters MAY be sent". IIRC we used action
in the content server because the oauth server already made use of it.
I see that action
is already part of our publicly defined API, though it's not mentioned in the MDN docs.
I had a quick look at both the OpenID Connect and OAuth 2 spec and didn't find mention of an action query parameter anywhere
Yep, I haven't seen any standard way of allowing the relier to choose the desired flow, so we have to go our own way here. It'd be nice if we got to a point where relier didn't have to care about this, and email-first is probably a step in that direction.
See https://github.com/mozilla/fxa-content-server/issues/6009
Changes should be limited to https://github.com/mozilla/fxa-oauth-server/blob/master/lib/routes/redirect.js.
If
action=email
, theaction
query parameter must be propagated to the content server.