Replies: 2 comments
-
The Authorization Code flow is initiated from the consumption device through the GET /authorize request. However, the exchange of the authorization code for an access token (POST /token request) typically occurs on the application backend, after the flow is redirected to the API consumer’s callback endpoint.
So far, CAMARA has not defined any use case that requires the use of the |
Beta Was this translation helpful? Give feedback.
-
|
Dear Jesus,
So the "GET /authorize" message is sent to an API Provider/Operator directly from Consumption Device, which packet’s source IP address is Consumption Device and destination IP address is API Provider/Operator?
SK텔레콤 이동기 ("Donnie Dongkie Lee ") / +82-10-3758-4359
From: Jesús Peña García-Oliva ***@***.***>
Sent: Monday, November 10, 2025 9:22 PM
To: camaraproject/IdentityAndConsentManagement ***@***.***>
Cc: 이동기님(DONNIE)/Core개발팀 ***@***.***>; Author ***@***.***>
Subject: Re: [camaraproject/IdentityAndConsentManagement] Who is the Frontend authentication "GET /authorize" message sender to API Provider/Operator (Discussion #328)
Is the "GET /authorize" message sender Consumption Device or app server? Does an API Provider/Operator receive it directly from Consumption Device?
The Authorization Code flow is initiated from the consumption device through the GET /authorize request. However, the exchange of the authorization code for an access token (POST /token request) typically occurs on the application backend, after the flow is redirected to the API consumer’s callback endpoint.
You will find further details and a flow diagram here<https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-API-access-and-user-consent.md#authorization-flows--grant-types>.
I also wander that login hint always have ipport(both IP and port number) info in GET /authorize sent by a Consumption Device.
So far, CAMARA has not defined any use case<https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#optional-parameters> that requires the use of the login_hint parameter for Authorization code flow. CAMARA ICM explicitly requires API Providers to use network-based authentication for the Authorization Code Flow<https://github.com/camaraproject/IdentityAndConsentManagement/blob/main/documentation/CAMARA-Security-Interoperability.md#oidc-authorization-code-flow>. Access tokens are issued based on the network-authenticated identifier. If the login_hint parameter is included, it may be ignored by the API provider.
—
Reply to this email directly, view it on GitHub<#328 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACOEI22VZSAINHAKBDALMET34B7QJAVCNFSM6AAAAACLIYFRMKVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIOJSGQYTOMI>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Based on the IdentityAndConsentManagement document and figure, Frontend authentication "GET /authorize" message is sent from Application on Consumption Device to an API Provider/Operator . Is the "GET /authorize" message sender Consumption Device or app server? Does an API Provider/Operator receive it directly from Consumption Device?
I also wander that login hint always have ipport(both IP and port number) info in GET /authorize sent by a Consumption Device.
Beta Was this translation helpful? Give feedback.
All reactions