>The frames timing issue is interesting, but doesn't it suggest a
profile where the whole code step is bypassed (e.g. by receiving code
and token)?
The user-agent profile callback URL should end up looking like this:
/callback#code=<code>&token=<token>
The token component is there so immediately return a usable access
token to the relying party/client server.
Do you see any need to restrict the power of this token or is it as
powerful as the tokens obtained using the code? I'm asking because this
token is sent out without authenticating the client whereas exchange of
code to tokens can be authenticated. A malicious client app could
initiate the hybrid authorization process in a browser (embedded or
external), pretend to be a legitimate client and obtain the token from
the redirect_uri after the redirect.
regards,
Torsten.
The code component is there so the server-side components of the RP
can obtain a refresh token and additional access tokens.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth