On Mon, Aug 2, 2010 at 10:21 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > Returning to our discussion about necessity of passing access_token in URL's > fragment, I've read both your proposal for changing v.9 and the current > v.10, but still don't understand why we need access_token in a fragment.
Question: why are you implementing the user-agent flow? > I think, a safer solution would be to return an access token in a response > form, not in Location header. This way, we'll avoid problems with user > agents that David Stanek described and prevent browsers from storing tokens > in a browser's history. This is nuts. It would completely break all of the use cases the user-agent flow was designed to address. For example, let's say you want to allow third-party site thirdparty.com to embed some javascript from serviceprovider.com. The javascript should be able to: - redirect the user to serviceprovider.com, where serviceprovider.com can get user consent to share data if necessary. - receive an access token back from serviceprovider.com. - use the access token from thirdparty.com to fetch data from serviceprovider.com. - do all of the above without server-side code at thirdparty.com. - do all of the above with as few client <-> server round trips as possible. The user-agent profile allows that. If that's not your use case, then you probably shouldn't be using the user-agent profile at all. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
