OAuth2 icon indicating copy to clipboard operation
OAuth2 copied to clipboard

Published 20 hours ago verified publisher icon p2

Option to put access_token into uri instead of header

Open pascalfribi opened this issue 7 years ago • 5 comments
trafficstars

  • Changed minimal target to 10.10
  • Updated XCode setting to recommended warnings
  • Added option to put access_token into uri instead of header. This is needed for some Websites. This can be configured by putting request_access_token_placement into the settings json with value of "header" (default) or "uri" or set the oauth2.clientConfig.requestAccessTokenPlacement to header or uri.

pascalfribi avatar Nov 03 '18 15:11 pascalfribi

Are you planning to merge the Pull requests sometimes? Or do you stop to support this framework?

pascalfribi avatar Dec 17 '18 07:12 pascalfribi

I'm unable to support this framework at this time. And for this PR, this shouldn't be an option since it's non-standard behavior, this should be a subclass, like all the other special-behaviors.

p2 avatar Dec 21 '18 05:12 p2

Hi Pascal,

good to know. I will keep my private repo then. Maybe you should add an indication in the Readme that you do not support the Framework anymore (which is a pitty).

Concerning my pull request: this is not at all a non standard behaviour. Look at https://tools.ietf.org/html/rfc6750#section-2 https://tools.ietf.org/html/rfc6750#section-2 . Here you will see three possible methods where the token can be put in. And I just implemented one of these possibilities so that the code can be used with other sites as well. But it is your code and your decision!

I wish you a happy christmas!

Regards

Pascal

On 21 Dec 2018, at 06:54, Pascal Pfiffner [email protected] wrote:

I'm unable to support this framework at this time. And for this PR, this shouldn't be an option since it's non-standard behavior, this should be a subclass, like all the other special-behaviors.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/p2/OAuth2/pull/293#issuecomment-449264496, or mute the thread https://github.com/notifications/unsubscribe-auth/AF4HdCl7HOfsE4auChN6ef4FSiJ4s0Y2ks5u7HelgaJpZM4YM3BZ.

pascalfribi avatar Dec 21 '18 07:12 pascalfribi

Yeah I should indicate that; still hoping a friend can take over.

To clarify, it’s a non-suggested flow since it’s not secure. I want to make it hard to use the library in non-secure ways, an option is too easy. :)

p2 avatar Dec 23 '18 16:12 p2

Well as a client you do not really have a choice if the backend does not allow anything else. But it is your decision.

pascalfribi avatar Dec 23 '18 18:12 pascalfribi