If we consider HTML5 browser, I am not sure there is a clear separation betweeen native apps and user agent clients. What is the technical difference between a native app and a browser that support HTML 5 localStorage ?
On Fri, Jun 25, 2010 at 9:22 AM, Marius Scurtescu <[email protected]> wrote: > I think the main difference is that User-Agent clients (aka JavaScript > clients) cannot store a secret while Native Apps can safely store a > secret, but the secret cannot be distributed (or, even if it can be > distributed, it may not have much value). > > The difference is important. Each native app instance could require a > registration phase that would provide a unique secret and possibly Id. > This registration phase could be completely automatic or could involve > the end user. There have been proposals for both. How much value there > is in such a registration is not clear to me. > > Marius > > > > On Thu, Jun 24, 2010 at 6:50 PM, Brian Dunnington > <[email protected]> wrote: >> In the 'User-Agent' profile, it says: >> >> "This user-agent profile does not utilize the client secret since the >> client executables reside on the end-user's computer or device which >> makes the client secret accessible and exploitable" >> >> However, the 'Native Apps' profile does not include such verbiage and >> in fact specifically requires the use of the client secret. Native >> apps' executables also reside on the end-user's computer or device, >> making the client secret just as accessible and exploitable, so why >> the difference? >> >> Specifically, as a native app developer, there is no good (secure) way >> to distribute the client secret without it being compromised. Any >> open-source application would have even more problems keeping their >> secret secure, but even complied apps are easily exploitable. in this >> scenario, there is no single, secure repository to keep the client >> secret safe, so I would expect that the requirement of the client >> secret for native apps be removed and made conformant with the >> user-agent profile. >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
