oauth-v2-1 icon indicating copy to clipboard operation
oauth-v2-1 copied to clipboard

Published 20 hours ago verified publisher icon oauth-wg

1.2. Protocol Flow - figure 1 is misleading

Open tlodderstedt opened this issue 4 years ago • 2 comments

In a discussion with OAuth implementers the following issue was raised:

The first messages of the flow show that the client obtains the grant from the resource owner and passes it the AS. That might work for RO password grant but it does not work that way for code and other grant types. The text on step 1 is resolving this issue by stating:

The client requests authorization from the resource owner. The authorization request can be made directly to the resource owner (as shown), or preferably indirectly via the authorization server as an intermediary.

I would say with OAuth 2.1 the authorization is always captured by the AS. I suggest to modify figure and description accordingly.

tlodderstedt avatar Mar 04 '21 11:03 tlodderstedt

I think the diagram is correct in the steps as an abstract flow -- the descriptions of each step is confusing. I'm confused by what "preferably indirectly via the authorization server as an intermediary." is to mean.

dickhardt avatar Mar 15 '21 23:03 dickhardt

Related: #26

aaronpk avatar Jun 29 '22 00:06 aaronpk