But that's just an annoying implementation detail. If the only different now between the hybrid and web server flows is one character ('?' vs '#'), and all the other security considerations and rules (matching, registration, etc.) are the same, I don't see any point in going back to -05 structure. Otherwise, we have exactly the same section repeating twice or three times, with almost no differences (which actually makes it harder to pick).
EHL > -----Original Message----- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Tuesday, January 11, 2011 12:49 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Proposal to drop/relocate > response_type=code_and_token > > On Tue, Jan 11, 2011 at 12:45 PM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > The exact same argument can be made that the hybrid flow meets all the > > use cases of the web-server flow... which means we can keep the > > current single flow specification as is... :-) > > > > What am I missing? (I'm asking). > > The hybrid flow does not work well for applications that consist mainly of > server-side code. The URL fragment is not transferred to the web server, so > they have to write extra client-side code to send it up to their server. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth