You may want to note that RFC6749 itself recommends agains embedded for
security reasons:
An embedded user-agent poses a security challenge because resource
owners are authenticating in an unidentified window without access
to the visual protections found in most external user-agents. An
embedded user-agent educates end-users to trust unidentified
requests for authentication (making phishing attacks easier to
execute).However 6749 did not explicitly mention that for 3rd party OAuth Apps using an embedded user Agent the 3rd party gets access to the password defeating one of the main goals of OAuth in keeping the password/credential out of the hands of the client. This document makes that clearer. John B. > On Mar 6, 2017, at 1:00 PM, Hannes Tschofenig <[email protected]> > wrote: > > Here is the shepherd write-up: > https://github.com/hannestschofenig/tschofenig-ids/blob/master/shepherd-writeups/Writeup_OAuth_NativeApps.txt > > Feedback appreciated. I will also do another shepherd review. > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
