On Tue, Jan 11, 2011 at 1:21 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote:
> But that's just an annoying implementation detail.
Yes. The user-agent flow is a set of annoying implementation details
that are very, very useful if you want to make the protocol efficient.
> If the only different now between the hybrid and web server flows is one
> character ('?' vs '#'), and all the other security considerations and rules
> (matching, registration, etc.) are the same, I don't see any point in going
> back to -05 structure.
> Otherwise, we have exactly the same section repeating twice or three times,
> with almost no differences (which actually makes it harder to pick).
There is another important difference in the protocol flows.
The web-server flow only returns a verification code on the query. It
does not return a token. There are a couple of reasons for that.
- tokens returned on query strings have more ways to leak than tokens
returned in fragments. A shorter-lived code is safer.
- the verification code requires client authentication to use. This
makes it safer. It also will, I think, get oauth2 based login
protocols up to LoA 2.
Cheers,
Brian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
