One more round trip is often too slow. EHL
> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Phil Hunt > Sent: Monday, February 28, 2011 3:18 PM > To: Marius Scurtescu > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Draft -12 feedback deadline > > Given these questions, I am wondering, why does the Implicit Grant flow > NOT have an authorization code step? Having one, would keep architecture > of AS and TS clearly separate. > > One down side is that issuing of access/refresh token would now have to be > opened to SHOULD authenticate the client from MUST. > > What was the original case for this flow? That should point us as to why the > separate flow and whether refresh makes sense given the higher risks of the > implicit flow. > > Phil > phil.h...@oracle.com > > > > > On 2011-02-28, at 2:58 PM, Marius Scurtescu wrote: > > > On Mon, Feb 28, 2011 at 12:16 PM, Igor Faynberg > > <igor.faynb...@alcatel-lucent.com> wrote: > >> +1 > >> > >> Igor > >> > >> Torsten Lodderstedt wrote: > >>> > >>> ... > >>> > >>> I'm in favour to add the refresh token parameter to the implicit > >>> grant flow as it would make it more useable for native apps. > > > > I think it is much safer to go with refresh tokens only sent > > indirectly through an authorization code swap. > > > > Implicit grant with refresh token also has no client secret swap and > > makes things worse by passing the refresh token through the browser. > > > > Marius > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
