the only difference I see is the code in the fragement will not show up
in HTTP referers.
Am 11.01.2011 22:21, schrieb Eran Hammer-Lahav:
But that's just an annoying implementation detail. If the only different now
between the hybrid and web server flows is one character ('?' vs '#'), and all
the other security considerations and rules (matching, registration, etc.) are
the same, I don't see any point in going back to -05 structure. Otherwise, we
have exactly the same section repeating twice or three times, with almost no
differences (which actually makes it harder to pick).
EHL
-----Original Message-----
From: Brian Eaton [mailto:bea...@google.com]
Sent: Tuesday, January 11, 2011 12:49 PM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Proposal to drop/relocate
response_type=code_and_token
On Tue, Jan 11, 2011 at 12:45 PM, Eran Hammer-Lahav
<e...@hueniverse.com> wrote:
The exact same argument can be made that the hybrid flow meets all the
use cases of the web-server flow... which means we can keep the
current single flow specification as is... :-)
What am I missing? (I'm asking).
The hybrid flow does not work well for applications that consist mainly of
server-side code. The URL fragment is not transferred to the web server, so
they have to write extra client-side code to send it up to their server.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth