On Wed, Jan 7, 2015 at 9:29 AM, Christopher Karlof <[email protected]> wrote:
> We support an implicit grant flow, but it requires being able to create > BrowserID assertions (which requires an FxA auth server session token, > which requires the user’s FxA password at some point). The use case we’re > currently targeting with implicit grants is when the user has logged in to > one of our user agents (Firefox Desktop, Fennec, FxOS, etc) and needs to > access FxA attached APIs (e.g., reading list, profile data, etc.). We’re > not so much focused on supporting general server-less apps yet, > particularly third-party ones. What use case are you trying to address? > > FYI, Here’s the API endpoint in the OAuth server to use implicit grants: > https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization > Here's some WIP Java (Fennec) code that hits said endpoints, uses the implicit grants, and queries the profile service [1]. I'm polishing it and landing it in the next few weeks. I'm posting this more for a future consumer than Tarek specifically. Nick [1] https://github.com/mozilla-services/android-sync/tree/nalexander/bug-1055264-oauth-and-profile-clients/ > -chris > > P.S. Always cc a list with these kinds of questions, please! > > +dev-fxacct > > > On Wed, Jan 7, 2015 at 2:45 AM, Tarek Ziade <[email protected]> wrote: > >> Hey >> >> I am wondering what's the flow to use for full client-side apps that >> can't safely keep a client_secret >> >> It's called "implicit grant" in OAuth2 >> >> http://tools.ietf.org/html/rfc6749#section-2.1 >> >> But I am not sure what's the exact thing to do with FxA >> >> Thanks! >> Tarek >> > > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct > >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
