We have have need for all three types For web apps, we use web server flow with credentials, and can escalate some capabilities for the client since we can be more assured we're talking to the actual client.
For native apps, we support: 1. the implicit grant ( but we wont give out a refresh token to web/js based applications ) 2. the web server flow with a user+client_id specific secret which we can issue through an admin controlled provisioning process. In this case we can also escalate capabilities as we're reasonably sure we're talking to an instance of the client. For JS Apps we support the implicit grant with no refresh token -cmort On 6/1/11 12:16 AM, "Brian Eaton" <bea...@google.com> wrote: On Wed, Jun 1, 2011 at 12:08 AM, Chuck Mortimore <cmortim...@salesforce.com> wrote: > This is one reason we've favored implicit for native apps. OK, so are you using the implicit grant for both web apps and native apps...? I'm trying to figure out if you need two flows are three. - web server flow used with real secret client credentials gives out long-lived tokens - native app flow doesn't have real secret client credentials gives out long-lived tokens - implicit flow for javascript apps gives out short-lived tokens based on callback URLs (We need all three of those flows, BTW, plus at some point we'll get around to implementing a javascript flow that returns authorization codes, and a web server flow that provides short-lived credentials... but those are lower priority.)
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
