I've read the latest spec and some of the discussions around the user-agent flow and native apps. I've read about the different options to get the authz code (copy-paste, polling the title of the window, custom scheme, etc).
I might be missing something but my question is: why can't we send a nonce in the initial request to the authz server and have the client app polling an endpoint until the authz code is generated and associated to that nonce? Why that is not a possible approach to get the authz code in the native client? Is it because the authz server might get several requests during the app polling? Or I am missing some security issue (assuming this all goes through TLS)? Thanks, Matias
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth