On Wed, Jul 6, 2011 at 1:31 PM, Justin Richer <[email protected]> wrote:
> You can still use the access code (web server) flow within a JavaScript > application, just without a reliable client secret. The point of the > "implicit" flow was to save a roundtrip to the server for light clients > with limited lifespans, and it's a tradeoff between security, ease of > implementation, and performance. Yep. Two other options. - give out authorization codes via the user-agent flow. We've implemented a variation of this based on HTML5 and window.postMessage. - use a fixed callback URL for the user-agent flow. Make sure that fixed callback URL does not run random bits of script. Then have that fixed callback URL use javascript to convey the token to other pages on the same origin. It's a bad idea to use the user-agent flow without a specific whitelist of callback URLs which can receive the token.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
