I'm surprised that this is OK. Why is this safe or a best practice?
/The Application Server can store the access token either server-side, /
/or in the cookie itself./
What are appropriate browser APIs? (Maybe providing some guidance or a
hint regarding this?)
/The JavaScript app is then responsible for storing the access token /
/(and optional refresh token) securely using appropriate browser APIs./
Can the access token be included the various (all) available transport
methods? Query string, Header, Post, etc.
/When the JavaScript application in the browser wants to make a request
to the Resource Server, it can include the access token in the request
(D) and make the request directly./
Thanks,
--
-----
Jared L Jennings
816.678.4152
Skype: jaredljennings
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
