On Jul 3, 2010, at 3:19 AM, Torsten Lodderstedt wrote: > Is something as the user agent flow used in the wild today? What security > means are used their?
Yes. Facebook has shipped it: http://developers.facebook.com/docs/authentication/desktop We require either pre-registration of the callback URL, or that the app uses a standard redirect URL on Facebook.com (which could only be used by a desktop app). > I wonder why we do not drop the user agent flow from the spec because of > security reasons. From my point of view, the web flow could be used to > achieve a similar behavior except the JavaScript client could not directly > obtain its access tokens. Correct. The main purpose of the user-agent flow is to allow a Javascript client to obtain an access token without requiring the presence of a secret, or a server. There are cases when you have an app without a server component, and you don't want to require a secret key (which can be revealed) _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth