> How would the token endpoint detect login status of the user? Oddball idea: why not use the cookie? If the assumption is that the RT is being used from a client-side browser-based app, and CORS allows for credentials, then perhaps this is a way to bind the RT to the user's browser session. The spec does say that alternative credentials are allowed at the token endpoint...
Sounds icky, but compared to iframes back to the authorize endpoint? -Brock
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
