On Thu, Apr 15, 2010 at 6:53 AM, Mark Mcgloin <[email protected]> wrote: >> On 15/04/2010 07:52, Brian Eaton <[email protected]> wrote: > >>> As a security person, I'm hesitant to bring this up, but perhaps the > Device >>> Flow should just be the flow for native client apps. > >>I'm open to this. > >>For native apps: the native app can open a web browser with the device >>code on the URL. The code can be very long and impossible to >>brute-force. The session fixation/phishing attack still exists, but I >>agree that could be addressed with good UI. > > What is the benefit in combining Native flow and Device flow and then > having to expend effort preventing any ingenious phishing attacks?
The main issue with the Native flow is how is the client getting hold of the verification code. There are several solutions for that (embedded browser, custom scheme and handler app, launching browser process and checking window title), but all are hackish. The Device flow relies on the client polling the authz server and retrieving the tokens directly. This closes the loop nicely. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
