> I don’t believe code flow today with an equivalent token policy as you have
>with implicit causes any new security issues, and it does correct _some_
>problems. The problem is that you immediately want to change token policy to
>get around hidden iframes and special parameters.
Hidden frames and special params -- are those really the main concerns with
implicit? Those are just different mechanics to do the same thing. IMO, iframes
are just another way to "do" HTTP, albeit more clumsy and effort than
XMLHttpRequest. And in my experience, prompt=none is easily done and well
supported. Perhaps my perspective is skewed.
I thought the access token being sent in the URL is a bigger concern, and
that's why code+PKCE is a better approach.
-Brock
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
