> Going from Implicit to Code deals with the problem of sending RT in the URL, >which I agree is a plus. Is there anything else in a way of an improvement?
As far as I can tell, that's the only additional security feature (beyond what we already use for mitigations today) that code flow adds. That's why I was hoping for the proposed BCP to explicitly point this out, which means all the other mitigations and guidance in the document are valid and useful for implicit flow. -Brock
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
