Given these questions, I am wondering, why does the Implicit Grant flow NOT have an authorization code step? Having one, would keep architecture of AS and TS clearly separate.
One down side is that issuing of access/refresh token would now have to be opened to SHOULD authenticate the client from MUST. What was the original case for this flow? That should point us as to why the separate flow and whether refresh makes sense given the higher risks of the implicit flow. Phil phil.h...@oracle.com On 2011-02-28, at 2:58 PM, Marius Scurtescu wrote: > On Mon, Feb 28, 2011 at 12:16 PM, Igor Faynberg > <igor.faynb...@alcatel-lucent.com> wrote: >> +1 >> >> Igor >> >> Torsten Lodderstedt wrote: >>> >>> ... >>> >>> I'm in favour to add the refresh token parameter to the implicit grant >>> flow as it would make it more useable for native apps. > > I think it is much safer to go with refresh tokens only sent > indirectly through an authorization code swap. > > Implicit grant with refresh token also has no client secret swap and > makes things worse by passing the refresh token through the browser. > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
