> >> Luke Shepard also indicated in his posting >> http://www.ietf.org/mail-archive/web/oauth/current/msg03509.html that >> facebook supports the user agent flow for desktop applications. Facebook's >> iOS SDK seems to use the same technique for mobile apps. > > Yes, Facebook is recommending the User-Agent flow for desktop > applications. This works for them because access tokens issued by > Facebook are not short lived, I don't think they expire. The desktop > app does not need a refresh token. > > If the authz server is issuing short lived access tokens and also > refresh tokens then the user-agent profile does not work so well > anymore. As far as I can tell in this case there is no reason to use > this profile with desktop apps, just use the web server profile. >
That's true. Although code_and_token is intended to solve that - you get the access token in the response, and then you can use the code to exchange for a refresh token on the server side if you need longer term access. There's no reason for a user agent to ever have a refresh token (since the performance optimization doesn't make sense when you are refreshing after an expiration period) > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
