+1 to recommend the deprecation of implicit. I don't see a compelling reason to keep implicit when there is an established alternative that is more secure.
Our duty as WG is to give developers the best and most sensible practice. CORS adoption is currently at 94% according to https://caniuse.com/#feat=cors Vladimir _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
