On 2011-01-10, at 3:25 PM, Brian Eaton wrote: > On Mon, Jan 10, 2011 at 3:06 PM, Eran Hammer-Lahav <[email protected]> > wrote: >> What about the difference between the two access tokens? The one issued >> directly and the one via the code? Are those the same? Same scope? Same >> duration? > > Same. > >> I think this needs to be presented as a separate profile from the user-agent >> one because it will make it easier to better describe the security >> consideration of each. > > That seems wrong, AFAICT everyone interested in implementing the > user-agent profile supported the mode where a verification code is > returned.
As I recall, the verification code originally was a one-time use code that was short and could potentially be typed in the user, or could be passed to the rich client via the page title or other, related "hacks". _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
