I guess, in the ideal world, the app provider provide a group
signature for the app and each client establishes individual keys with
AS, but that is not the way current oauth is architected. Maybe the
next step after the current set of the new work items are finished.
=nat via iPhone
On 2012/06/0
The implicit flow doesn't allow for refresh tokens.
The refresh token mechanism allows for the AS to revoke access to the RS when a
relatively short lived access_token expires.
Some people seem to prefer having the RS make a callback to the AS on each
access, and not use refresh tokens.
There
Hi all,
I'm looking for a better understanding of why the code flow is recommended as
the preferred OAuth flow, even when used for native (public) clients.
I totally get why it is preferred for confidential clients, as explained in
section 1.3.1. of the version 26 of the draft. The first reaso