In reading this over, I noticed a subtle difference from the Facebook and
Google implementations, and I'm wondering if this was intentional or not.
Section 3.1 says "The authorization server prompts the end-user to
authorize the client's request by entering the end-user code provided by
the client." The introduction has even more explicitly different wording:
"(D) ... If the end-user agrees to the client's access request, the
end-user enters the end-user code provided by the client."
However this is different from Facebook and Google's implementations, which
work as follows:
- Device shows the verification URI and code to the user
- The user visits the URL and is prompted to sign in to the service
(Google has the extra step of then choosing which Youtube account to use)
- The user is then prompted to enter the device code
- After entering the device code, the authorization prompt is displayed
In reading this draft, the implication is that the act of entering the code
also is the authorization. The problem is that the server won't know things
like the scope or application name until after the code is entered, so it
can't properly show an authorization prompt.
I think this needs to be reworded to separate entering the code from
showing the authorization prompt. I believe it is only a wording change.
Maybe something more like:
3.1 "The authorization server prompts the end-user to enter the end-user
code provided by the client, after which it prompts the end-user to
authorize the client's request."
and in the introduction:
1. (D) "The authorization server authenticates the end-user (via the
user-agent) and prompts the end-user to enter the end-user code provided by
the client. The authorization server validates the end-user code and
prompts the end-user to grant the client's access request."
WeChat ID
aaronpk_tv
