|
Seo Master present to you:
 By Justin Smith, Senior Product Manager UPDATE 11/14: After considering the feedback and timing, we have decided to delay the launch of the changes described in this post. The new date for these changes is December 7th, 2011. Once again, we expect these changes to have minimal impact. If you have any questions or comments, please post on the OAuth 2.0 Group. We will be actively monitoring that group and will work to respond quickly. Original post: In the coming weeks we will be making three changes to the experimental OAuth 2.0 endpoint. We expect the impact to be minimal, and we’re emailing developers who are most likely to be affected. We will be releasing these changes on December 7, 2011. This post describes the changes, their impact, and how they can be mitigated. Change #1: Error responses for client-side web applications The first change relates to the way errors are returned in OAuth 2.0 client-side web applications. It does not impact server-side, native, or device flows. The current behavior of the OAuth 2.0 endpoint in certain error conditions is to return the error to the application as a query string parameter, for example: https://www.example.com/back?error=access_denied.The OAuth 2.0 specification indicates that the error should be returned in the fragment of the response. We are updating our OAuth 2.0 implementation to support the most recent draft of the specification. As a result, we will be changing the way we return errors to applications in the client-side flow. As an example, today an error returns to your application as https://www.example.com/back?error=access_denied. After this change, it will be returned as https://www.example.com/back#error=access_denied. There is no mitigation for this change, so your application will have to handle these types of errors in client-side script. Change #2: Offline access as a separate parameter The second change impacts the OAuth 2.0 server-side flow only. It does not impact client-side, native, or device flows. For context, this flow consists of the following steps:
The client-side flow, in contrast, requires the user to be present when obtaining an access token. This type of access is called online. With this change, we will be exposing online and offline access as a separate parameter that’s available only in the server-side flow. When your application requests offline access, the consent page shown to a user will reflect that your application requests offline access and your application will receive an access and a refresh token. Once your application has a refresh token, it may obtain a new access token at any time. When your application requests online access, your application will only receive an access token. No refresh token will be returned. This means that a user must be present in order for your application to obtain a new access token. If unspecified in the request, online is the default. A mitigation for this change is described at the end of this post. Change #3: Server-side auto-approval This change also impacts the OAuth 2.0 server-side flow only. In the current implementation of OAuth2, every time your application redirects a user to Google, that user must give explicit consent before an authorization code is given to your application. As a result, sending a user through the flow another time requires them to see the consent screen again. Most applications don’t do this, but rather use the existing server-side flow as it was intended: a one-time association (import contacts, calendar operations, etc.) where the result is a refresh token which may be used to obtain new access tokens. The behavior is changing to the following:
The next section describes how to mitigate this change. Mitigation of offline access (#2) and auto-approval (#3) changes If you want to keep the existing behavior in your server-side applications, include the approval_prompt=force and access_type=offline parameters in an authorization code request.For example, if the following is a target URL for obtaining an authorization code today: https://accounts.google.com/o/oauth2/auth?You can maintain the current behavior by changing the target URL to: https://accounts.google.com/o/oauth2/auth?You may start including these parameters in authorization code requests today. Questions? If you have any questions or comments, please post on the OAuth 2.0 Group (https://groups.google.com/forum/#!forum/OAuth 2.0-dev). We will be actively monitoring that group and will work to respond quickly. Justin Smith is a Product Manager who works on authentication and authorization technologies at Google. He enjoys woodworking, cycling, country music, and the company of his wife (not necessarily in that order). Posted by Scott Knaster, Editor 2013, By: Seo Master |
Labels: oauth
