Torsten, Thanks! Yes...I kind of omitted some of the flow decisions to keep the diagram simpler.
I also note that there has been quite a lot of discussion on the pre-ambles to Implicit grant, etc. That said, I'm not sure I like binding application type (web app, javascript app) to a particular flow. Some have said that the spec shouldn't deal in best-practices (what flow should be used by specific client types) as much as just focusing on the normative requirements for each flow type. It seems conceivable to me that people will come up with new scenarios that don't fit the current definitions and the spec will 'break'. With that in mind, the only real difference I saw between 4.1 and 4.2 was one had client auth and an extra step, and while implicit did 2 steps at once with only user authentication as a requirement. Though this has been discussed on another thread and I'll probably update once a decision is made (draft 14?). Phil phil.h...@oracle.com On 2011-03-09, at 12:45 PM, Torsten Lodderstedt wrote: > Hi Phil, > > that's great help for anyone looking for advice how to use OAuth. > > One remark: In my opinion, the decision process for authorization code vs. > implicit grant involves more parameters. > > refresh token required? --> authz code > client in question is a web application? --> authz code > client in question is a JavaScript app? --> implicit grant > client authentication required --> authz code > else --> implicit grant > > regards, > Torsten. > > Am 22.02.2011 01:45, schrieb Phil Hunt: >> FYI. I published a blog post with a flow-chart explaining the legs of OAuth. >> http://independentidentity.blogspot.com/2011/02/does-oauth-have-legs.html >> >> Please let me know if any corrections should be made, or for that matter, >> any improvements! >> >> Phil >> phil.h...@oracle.com >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
