We support an implicit grant flow, but it requires being able to create BrowserID assertions (which requires an FxA auth server session token, which requires the user’s FxA password at some point). The use case we’re currently targeting with implicit grants is when the user has logged in to one of our user agents (Firefox Desktop, Fennec, FxOS, etc) and needs to access FxA attached APIs (e.g., reading list, profile data, etc.). We’re not so much focused on supporting general server-less apps yet, particularly third-party ones. What use case are you trying to address?
FYI, Here’s the API endpoint in the OAuth server to use implicit grants: https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization -chris P.S. Always cc a list with these kinds of questions, please! +dev-fxacct On Wed, Jan 7, 2015 at 2:45 AM, Tarek Ziade <[email protected]> wrote: > Hey > > I am wondering what's the flow to use for full client-side apps that can't > safely keep a client_secret > > It's called "implicit grant" in OAuth2 > > http://tools.ietf.org/html/rfc6749#section-2.1 > > But I am not sure what's the exact thing to do with FxA > > Thanks! > Tarek >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
