Hi Craig,
I've been puzzling over this text in 4.2: "... the authentication of the client is based on the user-agent's same-origin policy."
I consider this a a relict from the original User-Agent Flow description. This flow was dedicated to JavaScript apps running embedded in a webpage.
I get that the client can't be provisioned with secret credentials and that's why we're using this flow, but I'm puzzled by the implication that it might still be possible to authenticate the client. Isn't the point of this flow that you can't?
Such a client can be validated based on its redirect URI if this URI (or the base URI) has been registered previously.
Specifically, how would you verify that the request is coming from a user agent that even has a same-origin policy?
Good question :-)! regards, Torsten.
Thanks! - Craig. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
