But that's just an annoying implementation detail. If the only different now
between the hybrid and web server flows is one character ('?' vs '#'), and all
the other security considerations and rules (matching, registration, etc.) are
the same, I don't see any point in going back to -05 structure. Otherwise, we
have exactly the same section repeating twice or three times, with almost no
differences (which actually makes it harder to pick).
EHL
> -----Original Message-----
> From: Brian Eaton [mailto:[email protected]]
> Sent: Tuesday, January 11, 2011 12:49 PM
> To: Eran Hammer-Lahav
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Proposal to drop/relocate
> response_type=code_and_token
>
> On Tue, Jan 11, 2011 at 12:45 PM, Eran Hammer-Lahav
> <[email protected]> wrote:
> > The exact same argument can be made that the hybrid flow meets all the
> > use cases of the web-server flow... which means we can keep the
> > current single flow specification as is... :-)
> >
> > What am I missing? (I'm asking).
>
> The hybrid flow does not work well for applications that consist mainly of
> server-side code. The URL fragment is not transferred to the web server, so
> they have to write extra client-side code to send it up to their server.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
