On Wed, Feb 16, 2011 at 12:28 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > The reason why we don't return a refresh token in the implicit grant is > exactly because there is no client authentication...
Not sure that's the main reason. AFAIK it is because the response is sent through the user-agent and it could leak. > These are all well-balanced flows with specific security properties. If you > need something else, even if it is just a tweak, it must be considered a > different flow. That doesn't mean you need to register a new grant type, just > that you are dealing with different implementation details unique to your > server. The Authorization Code flow, with no client secret, is perfectly fine for Native Apps IMO. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
