Closed ajibarra closed 8 years ago
Nobody?
Hi @ajibarra, if you are using an authorisation code grant (The default I believe) then you shouldn't be taking the user to the credentials page again since you've already authorised them. Rather you should just use the access token that you've previously received.
Currently the plugin does not check if the client/user combination has already been approved, so it will always ask again. A PR to change that behaviour would of course be welcome :)
Yeah, I understand the flow with the access token.. The only issue with that is the client is not aware about the user (or token) because the user is just logging in.
So now my question is..it is pretty easy to check client/user combination. But the client is expecting an authorization code. If we detect the client/user combination has already been approved, what should we return? Should we generate a new authorization code and return it automatically bypassing the approval screen?
The flow that I've experienced with other oauth servers is that if it has already been approved (and the scope has not changed), a new code is generated and the user is redirected to the redirectURI.
Ok I will take a look then and make a PR. Thanks @dakota
Hi,
I am implementing an OAuth server using the plugin but I am not sure how to avoid asking for perms each time the user logs in..
I am not sure if this is a client issue or a server issue but I want to simulate the following workflow:
Now:
The thing is that from server perspective the client is asking for an auth code so I dont know if we should detect the client/owner and redirect automatically without asking OR on the other hand the client should not ask for an auth code but the thing is the client does not know anything about the owner/user because you are not logged in, you are just clicking Log in with my own server.
Please let me know if you need that I clarify something.
Thanks