On Jul 3, 2010, at 3:19 AM, Torsten Lodderstedt wrote:

> Is something as the user agent flow used in the wild today? What security 
> means are used their?

Yes. Facebook has shipped it: 
http://developers.facebook.com/docs/authentication/desktop

We require either pre-registration of the callback URL, or that the app uses a 
standard redirect URL on Facebook.com (which could only be used by a desktop 
app).

> I wonder why we do not drop the user agent flow from the spec because of 
> security reasons. From my point of view, the web flow could be used to 
> achieve a similar behavior except the JavaScript client could not directly 
> obtain its access tokens.

Correct. The main purpose of the user-agent flow is to allow a Javascript 
client to obtain an access token without requiring the presence of a secret, or 
a server.

There are cases when you have an app without a server component, and you don't 
want to require a secret key (which can be revealed)


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to