> -----Original Message----- > From: Brian Eaton [mailto:[email protected]] > Sent: Monday, January 10, 2011 3:25 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Proposal to drop/relocate > response_type=code_and_token > > On Mon, Jan 10, 2011 at 3:06 PM, Eran Hammer-Lahav > <[email protected]> wrote: > > What about the difference between the two access tokens? The one > issued directly and the one via the code? Are those the same? Same scope? > Same duration? > > Same. > > > I think this needs to be presented as a separate profile from the user-agent > one because it will make it easier to better describe the security > consideration of each. > > That seems wrong, AFAICT everyone interested in implementing the user- > agent profile supported the mode where a verification code is returned.
Supported as in "+1" or running code? These are two very different client profiles. In one, the client is completely authenticated, residing solely in the user-agent. The other is a mix authenticated and unauthenticated, where parts of the client can keep a secrets but others can't. Being able to keep a secret is the primary differentiator when picking which profile to use. I agree that the hybrid one is an optimization of the web-server profile (removing the need to wait for the server to send a token back to the user-agent after exchanging the code). But that only means the code_and_token really belongs with the web-server profile than with the user-agent. Moving to the profiles specification organization means that we need to present each distinct profile separately, and the code_and_token is clearly a distinct profile. With your clarifications, I feel comfortable leaving it in, but not as a hack of either one of the other two profiles. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
