Implicit Grant Approval

[krishy]

I have some doubts about the implicit grant implementation.

The current implementation does not seem to provide a 'user approval page' hook for the implicit grant flow. So how can one ask the resource owner if he/she authorizes the access? The specification in the section on implicit grant states:

(B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request.

Krishna

[Dave Syer]

It's up to the application to send whatever information is needed for the auth server to establish the approval. We haven't provided anything out of the box because the spec doesn't say how it should be done, just that it should be done, which is obvious. For instance the auth server could accept additional form parameters in the /authorize request (e.g. implemented as a filter or interceptor on the endpoint). If you have suggestions for obvious ways to do it, please make a proposal, and/or implement it and contribute something. It would be good to have some debate about it here, for instance, before we decide what the project actually needs here.