Inline. On May 28, 2010, at 9:29 AM, Murali VP wrote:
> OAuth 2.0 authors or anyone with authority on the draft, would appreciate > some response to the below items. > > 3.5. User-Agent Flow > > 1. It is not clear from the draft how a user agent flow would refresh > an access token. There are still some discussions about the best way to get a refresh token from the user-agent flow. Currently it is just passed back, and then it is up to the user-agent to pass it securely to the server. My preference is to pass back a verification code and require the user to get it. The refresh token would be used by the server to maintain long-lived access after the user has stopped using the app. > As per section 4, client does a HTTP(S) POST to > authorization server which seems to return a 200 to user-agent if the > request was successful leaving the user-agent in authorization > server's domain with a JSON response data! If user-agent flow cannot > refresh access token, why did it send the refresh_token in the first > place in the fragment? If you are refreshing from within the user agent, the preferred method would be to make an "immediate" request and get a new token that way. > > 2. The draft doesn't seem to mention how a client in the user-agent > can make protected resource requests given that such requests would be > cross domain. The only viable option seems to be JSONP requests (eg. > Facebook). The specification should include some material describing > protected resource requests in the user-agent flow case. <ATT00001..txt> JSONP is the simplest cross domain technique, but there are others - for example, Flash, PostMessage, or using a fragment. The techniques vary based on browser and circumstance and they are outside the scope of the spec. I think the best supplemental material will come in the form of well-commented libraries that implement the requests (for example, see http://github.com/facebook/connect-js/blob/master/src/core/api.js#L304 ) _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
