Hello, When using User-agent flow with OAuth2 for mobile platform, there is no way for Authorization server to authenticate the client_id of the application.
So, anyone can impersonate my app by copying the client_id (and so get all access tokens on my behalf), and this is applicable to Facebook, Foursquare,... This is not managed by OAuth2 ? Or I missed something ? For Web applications (Web server flow), access token is stored on the server side, and the client is authenticated using secret key. -- Karim <[email protected]>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
