On Tue, Jan 11, 2011 at 2:44 PM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > Do you see any need to restrict the power of this token or is it as powerful > as the tokens obtained using the code? I'm asking because this token is sent > out without authenticating the client whereas exchange of code to tokens can > be authenticated. A malicious client app could initiate the hybrid > authorization process in a browser (embedded or external), pretend to be a > legitimate client and obtain the token from the redirect_uri after the > redirect.
This is a good point, I think there are a set of people who won't deploy the user-agent flow because it returns a token without seeing the client secret. They might choose to support the user-agent flow, but return less privileged tokens. I doubt we could standardize anything like that. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth