A few of us from Google & Facebook had a face-to-face discussion today to talk through the differences / similarities between Native App, Web Callback, and User-Agent.
>From the discussion it seemed that the current Native Application flow is equivalent to Web Callback flow, with: 1. A redirect to a endpoint that shows the verification code in the title of the page (http://www.yoursite.com/showtitle.html), content takes verification code and inserts into title of HTML page) and 2. No client secret It also seemed there were reasons why native app developers might prefer using User-Agent flow over Web Callback, and vice versa. The Device flow is also an option. This seemed to be an opportunity to simplify the spec by removing Native App flow. A proposal: - Remove Native App flow - Make client secret optional in Web Callback flow - Add text to the spec to give overview of options for native app developers - Document the "show verification code in titile" technique in best practices doc Evan On Fri, Apr 16, 2010 at 2:08 AM, Mark Mcgloin <mark.mcgl...@ie.ibm.com>wrote: > My point though is why remove the Native app flow and then replace it with > something that relies on having to warn the user about possible phishing > attacks in your UI, like FlickR does. I would find it difficult to get that > approved here in IBM > > I must look again at Luke Sheppard's suggestion for combining Native app > flow with UA flow as that seems a better solution > > Mark > > On 15/04/2010 18:15, Marius Scurtescu <mscurte...@google.com> wrote: > > >> What is the benefit in combining Native flow and Device flow and then > >> having to expend effort preventing any ingenious phishing attacks? > > >The main issue with the Native flow is how is the client getting hold > >of the verification code. There are several solutions for that > >(embedded browser, custom scheme and handler app, launching browser > >process and checking window title), but all are hackish. > > >The Device flow relies on the client polling the authz server and > >retrieving the tokens directly. This closes the loop nicely. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
