On Wed, Apr 14, 2010 at 4:24 PM, Luke Shepard <lshep...@facebook.com> wrote: >> Assuming simplification is the main driver, I think it is feasible to >> combine Web Callback and Native Application, with no penalty. > > How would that work? The Web Callback flow assumes the presence of a > client_secret, while the Native Application does not have a secret.
The client_secret would have to be optional then. This may be needed anyhow to support an "unregistered" Web Callback flow. Also, the callback URL may need to be optional, because some native apps cannot receive a callback. The Authz Server will have to show a page with the verification code in this case. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth