I think there are a few open issues around Native App support. While all flows can be used by native apps I am referring only to the ones that involve a browser: - web server - user-agent - device
For the web server flow to support native apps we need to clarify: - un-registered clients, I think this is supported, just double checking - optional redirect_uri, if missing then the authorization server should present a default result page, see next - standard way to add verification code and state to window title when authz server uses default result page For the device flow to support native apps: - require authorization servers to accept GET requests to verification_uri with user_code added as a query parameter using "user_code" as parameter name The user-agent flow I think works as is, but it has several limitations, I can get into details. The only advantage over web server is the fact that it does not need a direct call to swap the verification code, minor IMO. I would suggest that the spec does not recommend this flow to be used with native apps. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
