Hello *, I recall implementing an early draft of this flow few years ago for a client landscape composed primarily of older set-top boxes, old and new TV models of various brands (LG, Samsung, Sony) and also HbbTV standards 1.5 and 2.0.
I remember having to set up CORS on both the device authorization and token endpoints (unheard of at the time!) for the sake of these clients. The reason they required CORS is that these were implemented using, mostly proprietary, xhtml/html5 based sandboxes running on those devices. The APIs developers were given were javascript ones, more specifically the http client was obviously XMLHttpRequest and the whole app when being developed was debugged in a regular browser. Since the specification does not mention CORS anywhere I wonder if a) I was deceived by our business partners to think this was a generic problem of these client types and not just developers being lazy to turn off cors when debugging, b) this was corrected or c) it's still happening and noone just didn't brought it up What are your experiences with CORS setup on the device authorization and token endpoints in relation to device flow for Smart TV, set-top boxes and HbbTV stream apps (excluding tvOS and AndroidTV). Best, *Filip*
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
