Hi, I read the OAuth2 draft and I still have lots of doubts regard security when talking about the User-Agent Profile. I can't really understand how steps D, E and F works. Once I get the access_token in the fragment, what happens then? How can I avoid from a malicious user check the source of my user-agent app, get the app-id and repeat the same steps from his own application somewhere else?
Thanks! Jonathan
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
