[aerogear-dev] I need your help)
Corinne Krych
corinnekrych at gmail.com
Tue Mar 17 12:18:45 EDT 2015
I guess you meant: "why do we need authorisation code and not go for access
token right from start?"
What you're asking for is what is the difference between implicit grant and
authorization grant.
See authorization code grant flow:
http://tools.ietf.org/html/rfc6749#section-4.1
See implicit grant:
http://tools.ietf.org/html/rfc6749#section-4.2
On natives app we work with authorization code grant because: natives app
are capable of keeping a secret from end-user which is not the case for
web-browser app ;)
- no trolling -
As you can see in the spec diagram the authorization code is provided by a
user-agent (through external browser or webview), the code is temporary (10
min for facebook for ex.). whereas the access token comes from authz server
directly. Tokens live longer (1 or 2 hours life time) and even more for
refresh token (sometime with or without expiration).
As you pointed it: there are differences in implementation depending on
providers. For ex, Facebook does not have refresh token but have the concep
of short-lived long-lived token.
++
Corinne
PS: Always reply to mail-list so that others can follow the discussion.
Your questions are interesting and may help others dev :)
On 17 March 2015 at 16:35, Денис Карпенко <banddk1 at gmail.com> wrote:
> Oh yes, I've forgotten about public, thank you )
> OK, I hope my code will start to work soon )
> I asked question in mailing list but nobody answered me (
> Why do we get access code ? I can change response type on token, and vk
> sends token to application. Facebook doesn't send token without code,
> doesn't it?
>
> Denis.
>
> 2015-03-17 18:07 GMT+03:00 Corinne Krych <corinnekrych at gmail.com>:
>
>> The reason is because extractCode:completionHandler: defined in
>> OAuth2Module is not public.
>> So far this method didn't need any override from current provider so it
>> was internal.
>>
>> Make it public and you'll be able to override it. Once you've got some
>> working code we can discuss API.
>>
>> ++
>> Corinne
>>
>> On 17 March 2015 at 15:58, Денис Карпенко <banddk1 at gmail.com> wrote:
>>
>>> 6.1.1
>>>
>>> 2015-03-17 16:37 GMT+03:00 Corinne Krych <corinnekrych at gmail.com>:
>>>
>>>> Which xcode are you on?
>>>> 6.1.1? 6.2 or latest 6.3beta?
>>>>
>>>> ++
>>>> Corinne
>>>> > On 17 Mar 2015, at 14:10, Денис Карпенко <banddk1 at gmail.com> wrote:
>>>> >
>>>> > Hello!
>>>> > Look at the screenshoot please ) Why doesn't Xcode see methods of
>>>> OAuth2Module class ? I'm sure that OAuth2Module class has these methods)
>>>> > I suppose, it is associated with Pods.
>>>> > <2015-03-17 04.00.09 pm.jpg>
>>>> >
>>>> > Denis.
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20150317/5c9ebece/attachment.html
More information about the aerogear-dev
mailing list