On Mon, Jun 14, 2010 at 8:23 AM, Andrew Arnott <andrewarn...@gmail.com> wrote: > And apparently now the user-agent flow can receive a > verification code as well as an access token? It's unclear what that's for > or how that's used.
Here's the thread where Brian Ellin proposed the verification code on the user-agent flow. http://www.ietf.org/mail-archive/web/oauth/current/msg02657.html Summary of why it's a good idea: - makes it easier to recover from compromise of refresh tokens - makes refresh token compromise less likely, because it is never passed via the browser - clear upgrade path from embeddable widgets to "server-side integrations Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth