I suppose authors has imported one of the security feature of OpenID Connect here as well. In the Dynamic Client Registration standard, which is a bit longer than IETF version. You can see the reason from it:
application_typeOPTIONAL. Kind of the application. The default, if omitted, is web. The defined values are native or web. Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris; they MUST NOT use localhost as the hostname. Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. Authorization Servers MAY place additional constraints on Native Clients. Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients. The Authorization Server MUST verify that all the registered redirect_uris conform to these constraints. This prevents sharing a Client ID across different types of Clients. Regards, Nat 2014-07-08 21:17 GMT+09:00 Hannes Tschofenig <hannes.tschofe...@gmx.net>: > Hi all, > > with version -18 you guys have added a new meta-data attribute, namely > application_type. > > First, this new attribute is not listed in the IANA consideration section. > > Second, could you provide a bit of motivation why you need it? What > would the authorization server do with that type of information? The > description is rather short. > > IMHO there is also no clear boundary between a "native" and "web" app. > Just think about smart phone apps that are developed using JavaScript. > Would this be a web app or a native app? > > Here is the definition from the draft: > > application_type > OPTIONAL. Kind of the application. The default, if omitted, is > "web". The defined values are "native" or "web". > > Ciao > Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
