Still working on security considerations. I'm comparing these two profiles based on passwords:
http://tools.ietf.org/html/draft-hardt-oauth-01#section-5.1 - this is probably used by automated tasks. - the password can be assumed to be high-entropy, since no one needs to remember it. - why is this profile returning a refresh token? AFAICT, it is not useful. When the access token expires, the client can use the client password to get a new one. http://tools.ietf.org/html/draft-hardt-oauth-01#section-6.1 - this is probably used by installed applications - the password is low-entropy, it belongs to a human being. - this profile *should* return a refresh token, because otherwise the installed application needs to save the password in order to get long-lived access to user data. Thoughts? Cheers, Brian _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
