> > Through registration and redirect URI validation. A native app does > not have to impersonate, they can just register a user-agent client. > Everything boils down to the user trusting the app. As Breno mentions, > nothing the spec can do to help with that.
It could recommend the authorization server not to automatically process repeated authorizations without user consent if it cannot reliably authenticate the client. > > Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth