Feel free to propose alternative preamble for the implicit and authorization code sections, describing the characteristics of what they are good for. It should fit in a single paragraph. Such a proposal would fit right in with last call feedback to -13.
EHL > -----Original Message----- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Wednesday, February 16, 2011 1:39 PM > To: Eran Hammer-Lahav > Cc: Brian Campbell; OAuth WG > Subject: Re: [OAUTH-WG] Draft -12 feedback deadline > > On Wed, Feb 16, 2011 at 12:28 PM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > The reason why we don't return a refresh token in the implicit grant is > exactly because there is no client authentication... > > Not sure that's the main reason. AFAIK it is because the response is sent > through the user-agent and it could leak. > > > > These are all well-balanced flows with specific security properties. If you > need something else, even if it is just a tweak, it must be considered a > different flow. That doesn't mean you need to register a new grant type, just > that you are dealing with different implementation details unique to your > server. > > The Authorization Code flow, with no client secret, is perfectly fine for > Native > Apps IMO. > > Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
