On Mon, Jan 22, 2018 at 2:48 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
I missed the part about code grant flow being used regardless. Of
course the
spec doesn't even mandate the user-agent is a web browser, just says it
typically is.
I think acr/display (or some other query parameter) vs a different flow
boils down to usability. Basically is it simpler to have one "dynamic" flow
or is it simpler to just have separate flows. I think in most cases you're
right and it will probably be cleaner and simpler to simply have different
flows.
Did you think about including this new flow OOTB? Is it OSIN specific or is
it a generic non-web version of the regular web based flow?
I want to reorganize auth flows a bit so that we can catagorize them
and provide a plugin mechanism so the admin console can dynamically
show which flows can be configured (browser, direct grant, ecp,
etc..). There's a lot to be done here, but probably just putting in
enough at the moment to get the OSIN replacement going.
Another thing is the user-agent always controlled by the client? Or
could a
single client have different user-agents.
They don't really have that concept. There's a client config variable
"respondWithChallenges". When set, server responds with 401
challenges.
--
Bill Burke
Red Hat