OAuth 2.0 authors or anyone with authority on the draft, would appreciate some response to the below items.
3.5. User-Agent Flow 1. It is not clear from the draft how a user agent flow would refresh an access token. As per section 4, client does a HTTP(S) POST to authorization server which seems to return a 200 to user-agent if the request was successful leaving the user-agent in authorization server's domain with a JSON response data! If user-agent flow cannot refresh access token, why did it send the refresh_token in the first place in the fragment? 2. The draft doesn't seem to mention how a client in the user-agent can make protected resource requests given that such requests would be cross domain. The only viable option seems to be JSONP requests (eg. Facebook). The specification should include some material describing protected resource requests in the user-agent flow case.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
