On Tue, Jul 13, 2010 at 2:06 PM, Eran Hammer-Lahav <e...@hueniverse.com>wrote:
> This looks reasonable, however, I am no longer see the value in the > hybrid mode of token and code. If the code is passed in the fragment, the > client has to pass it to the server. If that is the case, why can’t the > server reply back with the access token? Is the entire purpose just a > performance optimization so the client doesn’t have to wait for the server > response before it has an access token? > > I think there are two use cases here, and they are not mutually exclusive. Some apps are mostly just server side, and would end up doing a full page refresh, and here the code in the query param would probably be acceptable. Some apps are mostly just client side, and here the code is irrelevant and the access token in the fragment is all that matters. But we also have hybrids where we want the code in a cookie/JS callback, and we'll also use the access token on the client to dynamically update the UI by accessing some protected data (this is what the Data enabled XFBML tags do in the Facebook JS SDK for instance). While the server can do the code to access_token exchange, it can't return it to the JS safely if it does not support https. Even if it did, it would mean more overhead for the developer to build an endpoint that does this work and cooperates with a JS SDK which wants the access_token for making API calls. -Naitik
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
