My point though is why remove the Native app flow and then replace it with something that relies on having to warn the user about possible phishing attacks in your UI, like FlickR does. I would find it difficult to get that approved here in IBM
I must look again at Luke Sheppard's suggestion for combining Native app flow with UA flow as that seems a better solution Mark On 15/04/2010 18:15, Marius Scurtescu <[email protected]> wrote: >> What is the benefit in combining Native flow and Device flow and then >> having to expend effort preventing any ingenious phishing attacks? >The main issue with the Native flow is how is the client getting hold >of the verification code. There are several solutions for that >(embedded browser, custom scheme and handler app, launching browser >process and checking window title), but all are hackish. >The Device flow relies on the client polling the authz server and >retrieving the tokens directly. This closes the loop nicely. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
