On Tue, Apr 13, 2010 at 1:35 PM, Luke Shepard <[email protected]> wrote: > The Native Application and the User-Agent flows should be combined into one > flow. The combined flow works for all client-side code. This is how it was > in David’s original draft; I’d love some help understanding why it was > separated again.
I'd like to see them separate. I'm open to being convinced otherwise. I've got two reasons for preferring that they be separate. 1) You can authenticate the client for user-agent flows. You can't for native-app flows. You can authenticate client-side javascript by callback URL. For example, a token returned to http://www.example.com/javascript_widget can be assumed to only be accessible to www.example.com. This, in turn, let's you do interesting things policy wise: for example, you can remember that a user has approved that js widget and automatically give it new tokens as needed. You can't do the same thing for native apps. Even if they have a callback URL, you can't know which application is going to receive tokens issued to the callback URL. 2) User-Agent flows don't need persistent access to user data. A JS widget doesn't need a refresh token that grants permanent access to user data, and from a security perspective I'd prefer not to hand out verification codes without good reasons. A native-app, on the other hand, does need permanent access to user data, and so does need a verification code. Cheers, Brian _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
