I agree with Marius' points. We plan to support the auth-code flow for native apps as well. There is no reason why native apps can't perform a successful auth-code flow, they just do so without client credentials. However, the spec doesn't make it clear that this is viable option.
skylar On Apr 4, 2011, at 2:29 PM, Marius Scurtescu wrote: > On Mon, Apr 4, 2011 at 10:47 AM, Kris Selden <kris.sel...@gmail.com> wrote: >> A typical iPhone app cannot be shipped with a client secret and rightly or >> wrongly users expect to only have to enter their credentials once. >> >> What is the best profile to use for an app that can't have a client secret >> and needs a refresh token or a long lived access token? > > The authorization code grant, aka web server flow. > > The spec is misleading in this respect IMO. > > Marius > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
