A typical iPhone app cannot be shipped with a client secret and rightly or wrongly users expect to only have to enter their credentials once.
What is the best profile to use for an app that can't have a client secret and needs a refresh token or a long lived access token? Why doesn't implicit_grant have a refresh_token? I would think a non-expiring access_token like FB offline_access would be worse option since it is transmitted to more end points. A lot of FB Connect sites request offline_access when you connect. Like Foursquare, Quora, Gowalla for example. On Mar 31, 2011, at 6:00 PM, Marius Scurtescu wrote: > On Thu, Mar 31, 2011 at 4:56 PM, Phil Hunt <phil.h...@oracle.com> wrote: >> Done. >> >> It isn't quite what the flow shows in the earlier diagram. I was originally >> avoiding client type and trying to focus on section 4 options. >> >> But this should be a better diagram. >> >> http://independentidentity.blogspot.com/2011/03/oauth-flows-extended.html > > A native app with no client secret is still advised to use the > implicit grant, which is wrong IMO. > > The right question I think is "does the client need long term offline access"? > > JavaScript clients typically don't need offline access (only with the > user at the browser). Some native apps and web apps could be OK with a > short term offline access, one off import for example. > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
