Thanks Justin - some more questions below...
> > What does "public" mean here? In what sense could a client be > > public or private, and why is implicit grant more appropriate for the > > public case? > > Section 2.1, client types. > My understanding of a public client from this section was a client which is distributed and not hosted on a server, such as a desktop or mobile app. How is it possible for a web-hosted client to be public? Step C is the server sending back the HTTP redirect in response to step > A. Steps D, and E are the user agent following that HTTP redirect. Step > F is extracting the information from the redirected endpoint. While the > access token is sent back in step C, scripts running in the user agent > don't have easy access to it. Ah whoops, I misread C and D. So here's my real question: Why doesn't the user agent send the access token to the server in D? Why does the web server have to deliver a script which extracts it locally? Is it to facilitate a certain style of applications development?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth