Hi, (Disclaimer: I've only recently started paying attention to OAuth, so apologies if this is a poorly-formulated question.)
I notice that the OAuth2 draft seems to have browser redirects baked in rather deeply. Are there any plans to add support for flows that don't involve HTTP redirects? For example, it seems at the moment that pure JavaScript applications aren't well-supported, as the resource owner must be redirected to the authorization endpoint, thus leaving the JS app. Now of course trying to do the OAuth flow from within the JS app (say by displaying the authorization endpoint within an iframe) might expose phishing attacks, but one could imagine e.g. a browser plugin that integrates with the native chrome in order to provide a relatively unforgeable OAuth authorization endpoint. More generally, does this sound like a use-case that OAuth would be interested in supporting? Thanks, - gdb -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
