I was thinking for something purely browser based, akin to facebook connect or twitter anywhere, where the client would only have to ask the user for authorization once. I don't know what the current practice is for storing an access token is client side (cookie/local storage), but regardless, either every time the user refreshes the page or access token expires, the client would have to ask the user again for authorization. Even if the user didn't revoke access.
Is there a current practice for how an implicit client should store access tokens or if they should store them at all? Also what is the current state of which token type to implement for access to protected resources? I've heard a few arguments for and against both bearer and mac but for many oauth2 implementers, it seems the current practice is to use neither and just append the access_token to a client request. I see an understand the danger is in this if an access token were leaked so I am making sure to implement expiring tokens. I just wasn't sure if this was in the cards for clients implementing an implicit flow. Thanks for responding so quickly guys. -Doug Tangren http://lessis.me
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
