One of the results at the OAuth meeting on Friday was that non-normative text
describing how to use OAuth with native applications will be restored to the
framework draft. We could start with the text from past drafts, but it can
likely be improved upon as well.
Marius, as someone who has extensively deployed an OAuth protocol with native
apps, what would you like the draft to say about this? (Others with actual
deployments, please respond as well if you have things to add!)
Thanks,
-- Mike
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Skylar Woodward
Sent: Monday, April 04, 2011 11:54 AM
To: Marius Scurtescu
Cc: Kris Selden; [email protected]
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
I agree with Marius' points. We plan to support the auth-code flow for native
apps as well. There is no reason why native apps can't perform a successful
auth-code flow, they just do so without client credentials. However, the spec
doesn't make it clear that this is viable option.
skylar
On Apr 4, 2011, at 2:29 PM, Marius Scurtescu wrote:
> On Mon, Apr 4, 2011 at 10:47 AM, Kris Selden <[email protected]> wrote:
>> A typical iPhone app cannot be shipped with a client secret and rightly or
>> wrongly users expect to only have to enter their credentials once.
>>
>> What is the best profile to use for an app that can't have a client secret
>> and needs a refresh token or a long lived access token?
>
> The authorization code grant, aka web server flow.
>
> The spec is misleading in this respect IMO.
>
> Marius
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
