I'm still trying to wrap my head around the differences between public
and confidential clients. In our IDP impl, we check redirect uris and
associate a lot of private metadata to the access code to ensure there
is no client_id swapping. My understanding was that confidential
clients made sure that only an authenticated client could obtain an
access token.
What if you throw CORS in the mix where your browser needs the access
token (and the ability to refresh it) to make cross-domain requests?
Doesn't this remove a large benefit of confidential clients?
Anybody know a good document that describes the difference and pros/cons
of public vs. confidential clients beyond the actual OAUTH spec itself?
Thanks
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
